Security concern into install script provided

[Tocard]

Hello.

Into install docs there is a script provided

curl -sf -L https://packages.ternoa.network/ternoa/installer -o installer.sh
sudo chmod +x installer.sh
sudo ./installer.sh

but this script do have security issue and bad practice into it.
I'm not able to adress a pull request to fix it actually, since i'm not able to inf the source code of it.

If it's possible to open a pull request to do it, I would love to do it but please fix this asap.

The script do not create anymore a user with root privilege and run the node with root group. It have been updated since.

#!/bin/bash
PACKAGE_ROOT="${PACKAGE_ROOT:-"https://packages.ternoa.network/ternoa"}"
OS=""
OS_VERSION=""
TERNOA_ENV="mainnet"
TERNOA_VERSION="1.3.1"

# Detect the platform 
 if cat /etc/*release | grep ^NAME | grep CentOS; then
    echo "==============================================="
    echo "Installing ternoa validator on CentOS not available yet"
    echo "https://ternoahelp.zendesk.com/hc/en-150"
    exit 1;
  elif cat /etc/*release | grep ^NAME | grep Red; then
    echo "==============================================="
    echo "Installing ternoa validator on RedHat not available yet"
    echo "https://ternoahelp.zendesk.com/hc/en-150"
    exit 1;
 elif cat /etc/*release | grep ^NAME | grep Fedora; then
    echo "================================================"
    echo "Installing ternoa validator on Fedorea not available yet"
    echo "https://ternoahelp.zendesk.com/hc/en-150"
    exit 1;
 elif cat /etc/*release | grep ^NAME | grep Ubuntu; then
    echo "==============================================="
    echo "Installing ternoa validator on Ubuntu ..."
    OS="ubuntu"
    OS_VERSION="20.04"
 elif cat /etc/*release | grep ^NAME | grep Debian ; then
    echo "==============================================="
    echo "Installing ternoa validator on Debian ..."
    OS="debian"
    OS_VERSION="11"
 else
    echo "OS NOT DETECTED, couldn't install ternoa validator"
    echo "https://ternoahelp.zendesk.com/hc/en-150"
    exit 1;
 fi


DOWNLOAD_URL="https://packages.ternoa.network/ternoa/${TERNOA_ENV}/${OS}-${OS_VERSION}/${TERNOA_VERSION}/ternoa"
_divider="--------------------------------------------------------------------------------"
_prompt=">>>"
_indent="   "

validator_name=""
chain_name=""
cat 1>&2 <<EOF
                                  Welcome to TERNOA installer 


$_divider
Website: https://ternoa.com
Docs: https://ternoa-2.gitbook.io/ternoa-testnet-guide/
Support : https://ternoahelp.zendesk.com/hc/en-150
$_divider

EOF

echo "$_prompt We'll be installing Ternoa via a pre-built archive at ${DOWNLOAD_URL}/"


PS3='Please choose the ternoa chain environment: '
select opt in Alphanet Mainnet
do
    case $opt in
        Alphanet)
            echo "Connecting to Mainnet ...";
	    TERNOA_ENV="alphanet"; break
	;;
        Mainnet)
            echo "Connecting to Mainnet ...";
   	    TERNOA_ENV="mainnet";  break
		;;
           
        *) echo "invalid option $REPLY"; 
		exit 1 
		;;   
 esac
done

while true; do
    read -rp "Enter Your Validator Name: " validator_name  </dev/tty
    if [[ ! -z "$validator_name" ]] ; then
        break ;
    fi
done

curl $DOWNLOAD_URL > /usr/bin/ternoa
mkdir -p "/opt/ternoa/node-data"
chmod +x "/usr/bin/ternoa"

printf "\n"



tee /etc/systemd/system/ternoa.service > /dev/null <<EOT
[Unit]
Description=Ternoa Validator Node By Ternoa.com

[Service]

ExecStart=/usr/bin/ternoa --chain ${TERNOA_ENV}  --base-path /opt/ternoa/node-data --name ${validator_name} --telemetry-url "wss://telemetry.polkadot.io/submit/ 0" --validator --state-cache-size 0 --execution wasm
WorkingDirectory=/usr/bin
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=10240
SyslogIdentifier=ternoa


[Install]
WantedBy=multi-user.target
EOT

systemctl daemon-reload
systemctl enable ternoa
systemctl start ternoa


printf "%s Install succeeded!\n" "$_prompt"
printf "\n"
printf "%s You can restart ternoa service using : systemctl restart ternoa\n"
printf "%s You can get the status of ternoa service using : systemctl status ternoa\n"
printf "%s You can stop ternoa service using : systemctl stop ternoa\n"
printf "\n"
printf "%s More information at https://ternoa-2.gitbook.io/ternoa-testnet-guide/\n" "$_prompt"

About service itself

So about User, Groups & relative directory
You should always have a dedicated user & group for a service.
Why would you like to start workin form /usr/bin while you are only working on --base-path
You should split your log outside of syslog to have better management of it.

[Unit]
Description=Ternoa Validator Node By Ternoa.com

[Service]

ExecStart=/usr/bin/ternoa --chain ${TERNOA_ENV}  --base-path /opt/ternoa/node-data --name ${validator_name} --telemetry-url "wss://telemetry.polkadot.io/submit/ 0" --validator --state-cache-size 0 --execution wasm
WorkingDirectory=/usr/bin
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=10240
SyslogIdentifier=ternoa

Should be like

[Unit]
Description=Ternoa Validator Node By Ternoa.com

[Service]
User=should_be_a_user_dedicated_for_node
Group=should_be_a_group_dedicated_for_node
WorkingDirectory=should_match_--base-path
ExecStart=/usr/bin/ternoa --chain ${TERNOA_ENV}  --base-path /opt/ternoa/node-data --name ${validator_name} --telemetry-url "wss://telemetry.polkadot.io/submit/ 0" --validator --state-cache-size 0 --execution wasm
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=10240
SyslogIdentifier=ternoa
StandardOutput=append:specify_log_path
StandardError=append:specify_log_path

About script execution

this script need privilege escalation to run, but do not have sudo inside. So you need to have privilege before, and people will run it as root for sure.

Best way is to ask for escalation only when this is needed and not make it work if you run it as root. That's a way to teach implicitly people that they should never do that.