chrx will fail to run once cros starts disallowing shell scripts on noexec mounts

[dnschneid]

See the cros-dev thread.

Basically, chrx needs to update the wrapper script to ensure the downloaded script executes out of a mount marked exec, and the README and various internet tutorials will need to be updated in a similar way to crouton as discussed in the thread.

[reynhout]

@dnschneid Thanks very much for the heads-up!

We use a few different execution environments in chrx (direct, sh, source, chroot), so we may need multiple fixes. And as you mention, likely also the README and one-liner, which is the worst part.

Thanks again!

[dragon788]

I've been logging in as chronos and using sudo su - and then cd /tmp; curl -Os https://chrx.org/go; sh go #[-options], not sure if /tmp would be affected by this change or if chrx uses the directory where it was originally download as the "base of operations"?

The easy way to do this is to use readlink or $BASH_SOURCE[0] to figure out where the script was called from and export SCRIPT_BASE_DIR="$(dirname $SCRIPT_ABSOLUTE_PATH)", but if they switch to dash like I think I read in the cros-dev thread, readlink might be the more robust/POSIX option if it is available.

[reynhout]

@dragon788 It appears that /tmp is mounted noexec, so will also be affected.

The Google-suggested method is to install files into /usr/local. This is reasonable, but makes it difficult to construct a humane one-liner for the chrx docs.

My current best-attempt is this:

curl https://chrx.org/ | sudo tar xzfC - /usr/local && chrx

Suggestions welcome! :)

[espoelstra]

Will the chrx execution there need sudo as well to avoid prompting the user later or will it just take advantage of the sudo caching behavior if it has any internal sudo calls?

[reynhout]

@espoelstra The chrx script is a wrapper which runs the install script under sudo. Since the user will have just auth'ed for the tar, it will be cached.

Unfortunately, I don't think we will be able to suppress the ~"This is your first time using sudo, don't do bad things" warning any more.

[mjonsson1986]

so how to run chrx this days? the chrx script are denied to run non exec mount or something. tryed with sudo same result.

[espoelstra]

I think the best route might be to steal the syntax from Crouton where they download the file then sudo install -m 0755 /usr/local/bin chrx so that you can execute it as your user with or without sudo (though sudo is required for some things).

[reynhout]

Ah, so Google finally threw the switch..?

I updated chrx several months ago in anticipation of this day, but I've only tested on a few machines.

You can try the prerelease version with:

curl https://chrx.org/dev | sudo tar xzfC - /usr/local && chrx

Add any required options (-U username, etc) to the end of the command line.

[spoelstraethan]

The https://chrx.org/go script does appear to still work, but the non-go and dev versions don't have the warnings all over the place.

chronos@localhost / $ cd ; curl -Os https://chrx.org/go && sh go
sh: 0: go: warning: script from noexec mount; see https://chromium.googlesource.com/chromiumos/docs/+/master/security/noexec_shell_scripts.md

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

./chrx-install: warning: ./chrx-install: warning: script from noexec mount; see https://chromium.googlesource.com/chromiumos/docs/+/master/security/noexec_shell_scripts.md
chrx installer, version 2.7

    Hardware ID: LULU_Dxxxxxxxxxxxxxxx
    Model:       Dell Chromebook 13 (7310)
    Released:    2015
    CPU Family:  Intel Broadwell
    Prognosis:   success likely, model is well-tested

Checking hardware support for legacy boot...  OK
./chrx-install: line 858: warning: ./chrx-setup-storage: warning: script from noexec mount; see https://chromium.googlesource.com/chromiumos/docs/+/master/security/noexec_shell_scripts.md
Setting up target disk /dev/sda partitions...

Installing to /dev/sda7...
Preparing installation root directory /tmp/chrxroot

[spoelstraethan]

I got an error on the above possibly because I had canceled the initial install with Ctrl+C, but after a reboot even with the noexec errors it still worked and performed the installation. Possibly because Developer Mode has slightly different rules on the execution? I'll factory reset again and try using just the tar installations and see if anything behaves differently.

[spoelstraethan]

OK, I just double checked the cros-dev thread again and it looks like the old chrx.org/go method will probably be a hard failure in r82. The new method seems to be pretty solid, but I'll try jumping to the Beta/Dev channel and see if I can see the hard failure.

i've landed changes to dash for R82 so that the noexec check is now a hard failure under dash. people will still see the error message pointing to the docs, but the script will stop executing at that point. https://groups.google.com/a/chromium.org/d/msg/chromium-os-dev/X3SSyk6mFDY/mGzswvsBAwAJ

[spoelstraethan]

Just confirmed by switching to the Dev channel on Lulu (which as of 3/14/2020 is r82) that the current instructions with the go script no longer work, but the tar instructions work great, both the chrx.org and chrx.org/dev variants.

@reynhout do you want a PR updating all the instances of the old syntax to the new or do you already have a branch that just needs pushed or a PR opened from?

[reynhout]

A new version of chrx, with ChromeOS R82-compatible installation instructions, is released. Thanks for the early warning to @dnschneid , and for the help and suggestions from all!