Using wget in cron jobs is insane #3452
Unanswered
samwaxxawmas
asked this question in
General
Replies: 2 comments 4 replies
-
I just saw that and came here to see if anyone else had said this. As much as we might trust @tteck if someone malicious gains access to this repository they have a vector to run whatever code they want as root on god knows how many machines. I've saved the script and updated my crontab to run it locally, and would recommend others do the same. |
Beta Was this translation helpful? Give feedback.
4 replies
-
If I get some free time I might try to file a PR to change this - Unfortunately the LXC-Updater script does occasionally change, so users would have to manually run a new LXC-Updater-Updater script 🤷 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I can't think of any conceivable reason for the "Proxmox VE Cron LXC Updater" to include the wget request to re-download the script which performs the LXC updates every time the job is run.
It's a massive security flaw to pull and execute un-inspected, arbitrary code on a regular basis.
The script is small and static.
Why does it need to be fetched every run!?!?
Beta Was this translation helpful? Give feedback.
All reactions