thingsiplay , 2 months ago

curling into a temporary directory and then piping into Bash is effectively the same as the current way. Why not provide a clear instruction for installation and maybe even a separate installation script? Why does the setup script download the hardening script from the web, if its included in the repository anyway?

Here is how I would imagine the install instructions could look like. Git clone command will download all files from the current repo, including the hardening-overwrite script. With bash scriptname the user does not require to use chmod. I would remove the curl from the setup script. Also there is a dedicated install command in Linux.

Inside setup . sh you could use:

<span style="color:#323232;">program</span><span style="font-weight:bold;color:#a71d5d;">=</span><span style="color:#183691;">'thunderbird-hardening-overwrite'
</span><span style="color:#323232;">install -v </span><span style="color:#183691;">"${</span><span style="color:#323232;">program</span><span style="color:#183691;">}" </span><span style="color:#323232;">~/.local/bin/</span><span style="color:#183691;">"${</span><span style="color:#323232;">program</span><span style="color:#183691;">}"
</span>

And the installation instructions in the Readme could look like this:

<span style="color:#323232;">git clone https://github.com/boredsquirrel/thunderbird-hardening-automation
</span><span style="color:#323232;">bash setup.sh
</span>

If people are capable of copying the curl command, then they are capable of copying a few more lines like above.

---

Ah, I didn’t think about the commenting out stuff. This breaks it. If that is something you want to allow, then this technique wouldn’t work. There is a way to run sed only once, by building a command variable as a Bash array. I am using this technique in my scripts nowadays, but it might look strange for people who don’t know about it. Commenting out lines is possible with arrays. Not sure if you would want do that. In case you want to look at how this looks:

<span style="font-style:italic;color:#969896;"># Base command.
</span><span style="color:#323232;">sed_cmd</span><span style="font-weight:bold;color:#a71d5d;">=</span><span style="color:#323232;">(
</span><span style="color:#323232;">    sed
</span><span style="color:#323232;">    -i
</span><span style="color:#323232;">)
</span><span style="color:#323232;">
</span><span style="font-style:italic;color:#969896;"># Arguments that can be added by condition or excluded with commenting out.
</span><span style="color:#323232;">sed_cmd</span><span style="font-weight:bold;color:#a71d5d;">+=</span><span style="color:#323232;">(-e </span><span style="color:#183691;">'s/abc/ABC/g'</span><span style="color:#323232;">)
</span><span style="color:#323232;">sed_cmd</span><span style="font-weight:bold;color:#a71d5d;">+=</span><span style="color:#323232;">(-e </span><span style="color:#183691;">'s/def/DEF/g'</span><span style="color:#323232;">)
</span><span style="color:#323232;">
</span><span style="font-style:italic;color:#969896;"># Then the last argument that is intended to be added always.
</span><span style="color:#323232;">sed_cmd</span><span style="font-weight:bold;color:#a71d5d;">+=</span><span style="color:#323232;">(user.js)
</span><span style="color:#323232;">
</span><span style="font-style:italic;color:#969896;"># Execute the Bash array as a commandline:
</span><span style="color:#183691;">"${</span><span style="color:#323232;">sed_cmd[@]</span><span style="color:#183691;">}"
</span>

This might look intimidating and I can understand if you pass on this one. But I just wanted bring this to your attention. You might want to experiment before committing to it.