starred/Synology_enable_M2_volume
1
0
Fork 0
mirror of https://github.com/007revad/Synology_enable_M2_volume.git synced 2026-04-25 13:05:54 +03:00
Code Issues 9 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #129] offline version of the script #455

New issue
Closed
opened 2026-03-12 15:46:15 +03:00 by kerem · 6 comments
kerem commented 2026-03-12 15:46:15 +03:00
Owner
Copy link

Originally created by @ageev on GitHub (Nov 16, 2023).
Original GitHub issue: https://github.com/007revad/Synology_enable_M2_volume/issues/129

Hi,

I don't like the idea that your script downloads and executes .sh file with root privileges on my NAS every time it shutdowns.

If one day this repo will be compromised – thousands of devices may be destroyed.

Is it possible to create an "offline" version of this script?

Regards,
Artyom

Originally created by @ageev on GitHub (Nov 16, 2023). Original GitHub issue: https://github.com/007revad/Synology_enable_M2_volume/issues/129 Hi, I don't like the idea that your script downloads and executes .sh file with root privileges on my NAS every time it shutdowns. If one day this repo will be compromised – thousands of devices may be destroyed. Is it possible to create an "offline" version of this script? Regards, Artyom
kerem closed this issue 2026-03-12 15:46:21 +03:00
kerem commented 2026-03-12 15:46:27 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 16, 2023):

Thanks for your concern and feedback Artyom.

The script only downloads a new version of the script if both the following are true:

  • There is a newer version available.
  • The user ran the the script with the --autoupdate option.

If you don't run it with the --autoupdate option it only ask if you want to download the new version. If you don't answer yes within 10 seconds the script skips downloading the newer version and runs as normal.

Synology_enable_M2_volume only needs to be run after a DSM update.

The few instances of GitHub hacking that I'm aware of are where hackers:

  1. Used repositories' old usernames after the maintainers had changed their username.
  2. Cloned repositories and changed the name to a different name that looked similiar.

To avoid scenario 1 I will never change my GitHub username.

Scenario 2 can't affect the script updating itself because it uses the real repository name to download any updates.

Of course there could be some new hack in future, so your concern is valid, if the --auto update option is used.

<!-- gh-comment-id:1813955891 --> @007revad commented on GitHub (Nov 16, 2023): Thanks for your concern and feedback Artyom. The script only downloads a new version of the script if both the following are true: - There is a newer version available. - The user ran the the script with the --autoupdate option. If you don't run it with the --autoupdate option it only ask if you want to download the new version. If you don't answer yes within 10 seconds the script skips downloading the newer version and runs as normal. Synology_enable_M2_volume only needs to be run after a DSM update. The few instances of GitHub hacking that I'm aware of are where hackers: 1. Used repositories' old usernames after the maintainers had changed their username. 2. Cloned repositories and changed the name to a different name that looked similiar. To avoid scenario 1 I will never change my GitHub username. Scenario 2 can't affect the script updating itself because it uses the real repository name to download any updates. Of course there could be some new hack in future, so your concern is valid, if the --auto update option is used.
kerem commented 2026-03-12 15:46:32 +03:00
Author
Owner
Copy link

@ageev commented on GitHub (Nov 16, 2023):

Thank you for the detailed answer

This part of the script tries to download the binary even without autoupdate option, if I read it correctly
if ! which bc >/dev/null ; then # Download bc echo -e "\nDownloading bc" curl -kL "https://raw.githubusercontent.com/${repo}/main/bin/bc" -o /tmp/bc

Can you please make sure that any binary download event will happen only if user directly requested it (for example, via an argument)?

There is also 3rd hacking option missing: your account was hacked and used to spread the malware.

<!-- gh-comment-id:1814873100 --> @ageev commented on GitHub (Nov 16, 2023): Thank you for the detailed answer This part of the script tries to download the binary even without autoupdate option, if I read it correctly `if ! which bc >/dev/null ; then # Download bc echo -e "\nDownloading bc" curl -kL "https://raw.githubusercontent.com/${repo}/main/bin/bc" -o /tmp/bc` Can you please make sure that any binary download event will happen only if user directly requested it (for example, via an argument)? There is also 3rd hacking option missing: your account was hacked and used to spread the malware.
kerem commented 2026-03-12 15:46:37 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 16, 2023):

I just created a pre-release version v1.1.11-RC that:

  • Now only downloads bc if bc is not found in PATH or in script location.
  • Now asks to download bc (if --autoupdate option not used).

If you want to compare the changes see: github.com/007revad/Synology_enable_M2_volume@03bdf0b2d1

<!-- gh-comment-id:1815291419 --> @007revad commented on GitHub (Nov 16, 2023): I just created a [pre-release version v1.1.11-RC](https://github.com/007revad/Synology_enable_M2_volume/releases/tag/v1.1.11-RC) that: - Now only downloads bc if bc is not found in PATH or in script location. - Now asks to download bc (if --autoupdate option not used). If you want to compare the changes see: https://github.com/007revad/Synology_enable_M2_volume/commit/03bdf0b2d142cfb2cf252840ab59f0bf6430d1f3
kerem commented 2026-03-12 15:46:42 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 16, 2023):

There is also 3rd hacking option missing: your account was hacked and used to spread the malware.

I previously googled for "github repository hacked". Searching just now for "github account hacked" found lots of results! Looks like I've got some reading to do.

I use 2-factor authentication on my GitHub account and I am the only person with access, and the authority to approve pull requests. My access token is limited to downloading only, so if someone got into computer and found the access token they couldn't push any updates to my repos.

<!-- gh-comment-id:1815316623 --> @007revad commented on GitHub (Nov 16, 2023): > There is also 3rd hacking option missing: your account was hacked and used to spread the malware. I previously googled for "github repository hacked". Searching just now for "github account hacked" found lots of results! Looks like I've got some reading to do. I use 2-factor authentication on my GitHub account and I am the only person with access, and the authority to approve pull requests. My access token is limited to downloading only, so if someone got into computer and found the access token they couldn't push any updates to my repos.
kerem commented 2026-03-12 15:46:48 +03:00
Author
Owner
Copy link

@ageev commented on GitHub (Nov 17, 2023):

Thank you for prompt response on this issue. The changes you did cover the issue described.

A lot of companies (for example, Dropbox) were hacked due to Github-themed phishing recently. I may advise you to use Yubikey (or similar) FIDO token as a 2nd auth factor. Way more reliable than OTP/SMS. Google's phishing test is a good starting point to test yourself.

<!-- gh-comment-id:1816443184 --> @ageev commented on GitHub (Nov 17, 2023): Thank you for prompt response on this issue. The changes you did cover the issue described. A lot of companies (for example, [Dropbox](https://www.bleepingcomputer.com/news/security/dropbox-discloses-breach-after-hacker-stole-130-github-repositories/)) were hacked due to Github-themed phishing recently. I may advise you to use Yubikey (or similar) FIDO token as a 2nd auth factor. Way more reliable than OTP/SMS. Google's [phishing test](https://phishingquiz.withgoogle.com/) is a good starting point to test yourself.
kerem commented 2026-03-12 15:46:53 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 21, 2023):

@ageev
I've just released v1.1.13 which includes checking the md5 hash of the downloaded file.

<!-- gh-comment-id:1821791633 --> @007revad commented on GitHub (Nov 21, 2023): @ageev I've just released [v1.1.13](https://github.com/007revad/Synology_enable_M2_volume/releases/tag/v1.1.13) which includes checking the md5 hash of the downloaded file.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
develop
v1.1.22
v1.1.21
v1.1.20
v1.1.19
v1.1.18
v1.1.17
v1.1.15
V1.1.14
v1.1.13
v1.1.12-RC
v1.1.11-RC
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

No labels
enhancement
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Synology_enable_M2_volume#455
No description provided.