install.sh runs with root permissions

[hackerb9]

While it makes everything easier to run as root, it is frighteningly reckless.

I get that this is designed for a Raspberry Pi and on such a device running as root may be considered okay. However, h19term should not be limited to Raspberry Pis.

Looking at the script, for the most part, root permissions aren't even needed. For example, the installer presumes /usr/local/bin, but there is no reason h19term couldn't run from the current directory or be installed in ~/bin.

For the few places where there is no way to run as a normal user, like locale-gen, you could add sudo before just that command. That will limit the potential for accidental damage.

Thanks!

[horga83]

It is in no way "fighteningly reckless", pretty much every piece of software on a Linux system is installed as root.  The install script is easily scanned to know what it is doing. As the source is available please feel free to change what is required to install it where you want. I do agree that the script could be broken down further into individual sudo commands, however that wouldn't really solve alot if you look at what the script is doing. Thanks George

…

On Tue, 2021-08-24 at 01:17 -0700, hackerb9 wrote: While it makes everything easier to run as root, it is frighteningly reckless. I get that this is designed for a Raspberry Pi and on such a device running as root may be considered okay. However, h19term should not be limited to Raspberry Pis. Looking at the script, for the most part, root permissions aren't even needed. For example, the installer presumes /usr/local/bin, but there is no reason h19term couldn't run from the current directory or be installed in ~/bin. For the few places where there is no way to run as a normal user, like locale-gen, you could add sudo before just that command. That will limit the potential for accidental damage. Thanks! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[hackerb9]

I guess we have had different experiences with Unix systems. Perhaps you're used to installing everything as root, but many people don't. For security, I only use root to install the packages that are bundled with my system. Things I download off the Internet, can be installed just fine in a user account. Consider Python's 'pip' program which simply downloads all needed components into the user's home directory.

If you're set in your ways, I don't want to waste your time. But I do wish I understood better where you are coming from. The phrase, "pretty much every piece of software on a Linux system is installed as root" sticks out to me. Are you thinking about the packages included in Linux distributions? Perhaps you don't see any difference in the trustworthiness of your operating system's package managers and random source code you found online? Or, maybe you come from a computing culture where running as Admin was necessary to install even the programs you compiled yourself? In Unix, while most programs default to requiring root to write to /usr/local/, they give you a simple compile time option, like ./configure --prefix=$HOME/.local to choose where they get installed.

I could just be extraordinarily ignorant (that's often been the case), but I am having a hard time thinking of any user program that absolutely requires root to install. Maybe I just use different software than you do? I tend to not run proprietary software, is that it? I'm also late to the scene with Raspberry Pi and its culture seems to have a different attitude towards security than a typical UNIX systems.

I am sorry we don't agree on the severity of this issue, but I am genuinely curious where you are coming from, if you're willing to tell me. (As I said, a lot can be chalked up to my ignorance.)