Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Security vs suggested NPI installation methods

plugins

#1

I’m troubled by the recommendation to run a shell script directly from curl. That’s a potentially dangerous practice which I feel should not be encouraged for software running on critical systems such as New Relic.

One example of a potential problem (incomplete download causes unintended behavior):
http://blog.existentialize.com/dont-pipe-to-your-shell.html

Another problem (browser receives a different script than curl):

I feel it is much better to recommend using a package manager which can verify a signature to download the software, or to provide a link to the source code and have the user compile it.


Getting Started with the Platform Installer
#2

(This was originally a reply to Getting Started with the Platform Installer but I think this topic has strayed far from the announcement of an installer, so split it off to a new post).

While your concerns are certainly valid, this is a pretty frequently used pattern (eg homebrew, http://brew.sh/), and allows people who do not have package managers to install our software. For instance, we’re unlikely to ever provide a (.pkg format) package for solaris, but npi and the mysql plugin should both work on it without modification.

I’m going to ask one of our security team to take a look at this topic - I suspect we could do something for folks like you who are more security conscious like publish a checksum of the code that you could check (and download manually, and then run once you’ve verified it).


#3

So I chatted with one of our security engineers and he suggested using https to download to be sure that you are getting the content we meant to send rather than suffering from a man in the middle attack or similar. (We still have to provide it via HTTP for some customers with complicated proxy situations). The script is pretty simple and has a pretty clear ending - it just ends with the usage messaging - so you can confirm you’ve gotten the whole thing.

I’ve filed a feature request to include a checksum with all of our software on download.newrelic.com, though this does require work from a lot of teams who all publish their own releases, so I don’t think we’ll be able to move very fast on it (and indeed, we explicitly don’t make promises about feature requests - preferring instead to announce that the feature is implemented rather than promising to implement and then having to announce delays or be a vaporware provider). Of course to do this right we have to have a second server that you can trust more, otherwise anyone can generate a checksum…so you can see why we didn’t promise to run out and do it, I hope.


#4

The Bash Shellshock vulnerability dramatically raises the risk of this installation method. This really is a dangerous pattern - just because other software packages employ dangerous packages does not mean NewRelic should.


#5

Thanks for raising that point. Our Security team believes that using HTTPS to download the script provides reasonable security but we’re continuing to look into improving the security of our download packages. We would also suggest downloading the script via curl and inspecting/reviewing it before then running it with the shell.


#6

@jimmys, I don’t want to make you feel like a bunch of NR support people are disagreeing with you or ignoring your security concerns.

The NPI method was created meet a demand. There are many plugins developed by third parties and the installation methods can vary from plugin to plugin. In addition to the varying install methods, some people using plugins were not comfortable performing the sometimes complex manual installations of some plugins.

So the NPI method was created to provide a simple and uniform installation method which would be available on both Windows and Linux systems.

The Windows install method is not scripted and the current version of the installer bash script for Linux is 73 lines long. 39 of those lines are comments, empty or echo statements saying what the script is doing. The remaining 34 lines are quite easy to understand. If you want, you can read the script to see the steps required to perform a manual installation on Linux.

These steps are as follows:

  1. Download the appropriate platform install tarball here: https://download.newrelic.com/npi/release/

  2. Extract the tarball to the correct location like so:
    tar xzf $FILENAME -c $LOCATION

  • ~/newrelic-npi or /usr/local/newrelic-npi are likely choices for $LOCATION.
  1. And then setup the default configuration like this:
/full/path/to/npi set license_key $LICENSE_KEY
/full/path/to/npi set distro $DISTRO 
  • Where $DISTRO is redhat, debian or simply blank/empty.

Again, the reason this installation method isn’t normally explained is because the complexity involved in performing it, however modest it may be, is the very thing the NPI was created to avoid.