[security] Linux bootstrap executes unpinned installer scripts as root
Summary
Managed Linux leases that request Code or default-package Tailscale provisioning execute remote installer scripts as root during cloud-init without pinning the script, release artifact, signature, or checksum. This crosses the target policy's supply-chain integrity boundary for artifacts or images downloaded and installed as part of a documented workflow: a compromised installer endpoint, CDN path, or trusted network response can run arbitrary root commands inside a Crabbox-created lease before the lease is handed to the operator, including on Tailscale-enabled leases that immediately receive a one-off tailnet auth key.
Affected Components
- Checked commit:
5001cd1179a42c174da65c8e8a87bf16218aef95
- Component: worker bootstrap / managed Linux provisioning
- Affected files and lines:
worker/src/bootstrap.ts:1452-1455
worker/src/bootstrap.ts:1475-1495
worker/src/bootstrap.ts:1532-1544
worker/src/config.ts:267-273
worker/src/tailscale.ts:71-80
docs/features/tailscale.md:195-199
worker/test/bootstrap.test.ts:380-456
Attack Path
Attacker role:
provider response / upstream installer distribution compromise
Prerequisites:
- A Crabbox operator creates a managed Linux lease with
--code, or creates a managed Linux lease with --tailscale while CRABBOX_TAILSCALE_INSTALL_MODE is unset or set to package.
- The attacker can influence the remote installer script response from
https://code-server.dev/install.sh or https://tailscale.com/install.sh, for example through compromise of the upstream distribution path, CDN/account control, or a trusted network component.
Steps:
- The operator requests a documented managed Linux workflow: Code provisioning with
--code, or tailnet enrollment with --tailscale.
- The Worker renders cloud-init that runs
curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/local for Code, or curl -fsSL https://tailscale.com/install.sh | sh for package-mode Tailscale.
- The cloud-init script executes the fetched script as root before any local checksum, release version, signature, or pinned artifact validation occurs.
- For Tailscale leases, the same bootstrap path then starts
tailscaled and pipes the short-lived auth key into tailscale up, so compromised install-time code can run in the privileged provisioning context immediately before tailnet enrollment.
Expected result:
The attacker gains root code execution inside the managed lease during provisioning, before the operator's workload runs and before the lease is considered ready. On Tailscale-enabled leases, the compromised root context can also interfere with tailnet enrollment or access the ephemeral auth-key flow while the bootstrap is executing.
Control/dataflow:
remote installer endpoint response
-> cloud-init generated by worker/src/bootstrap.ts
-> root shell pipeline without pinned version/checksum/signature validation
-> managed Linux lease provisioning
-> root code execution and possible tailnet enrollment interference
Impact
This is a supply-chain integrity failure in Crabbox-managed bootstrap. A compromised installer response can modify the managed VM, persist in the operator's development environment, observe files synchronized into the lease, tamper with command results, and interfere with brokered Tailscale enrollment. The impact is confined to the newly provisioned lease rather than the Crabbox coordinator host, but it affects a documented default install path for --tailscale package mode and a documented Code provisioning path for managed Linux leases.
Severity Assessment
CVSS Assessment
| Metric |
v3.1 |
v4.0 |
| Score |
7.5 / 10.0 |
7.5 / 10.0 |
| Severity |
High |
High |
| Vector |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Calculator |
CVSS v3.1 Calculator |
CVSS v4.0 Calculator |
Recommended Remediation
- Do not pipe unauthenticated remote installer scripts directly into a root shell in generated cloud-init.
- Make the existing pinned Tailscale static archive mode the default for managed Linux leases, or require package installation through an explicitly pinned, signed package repository bootstrap whose signing key fingerprint and repository metadata are verified before installation.
- Replace Code provisioning with a pinned code-server release artifact or package repository flow that validates version and checksum/signature before installing into
/usr/local.
- Fail lease creation when required pinned version/checksum metadata is unavailable, rather than silently falling back to
install.sh pipelines.
- Add tests that assert generated cloud-init for
--code and default --tailscale contains checksum/signature verification and does not contain curl ... | sh.
Validation
Validation method:
source review and existing unit-test inspection
Evidence and counterevidence:
worker/src/bootstrap.ts:1452-1455 renders Code bootstrap as a root curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/local pipeline when config.code is true.
worker/src/bootstrap.ts:1475-1478 renders Tailscale bootstrap as a root curl -fsSL https://tailscale.com/install.sh | sh pipeline whenever config.tailscaleInstallMode !== "pinned".
worker/src/bootstrap.ts:1479-1495 shows a safer pinned Tailscale path already exists: it downloads a versioned tarball, checks sha256sum -c -, and installs the extracted binaries.
worker/src/config.ts:267-273 sets tailscaleInstallMode: "package" in normalized lease config.
worker/src/tailscale.ts:71-80 maps missing CRABBOX_TAILSCALE_INSTALL_MODE to package and only selects pinned mode when the env var explicitly equals pinned.
docs/features/tailscale.md:195-199 documents package install script mode as the default and pinned static archive mode as an opt-in alternative.
worker/test/bootstrap.test.ts:380-456 asserts current generated bootstrap contains both unpinned installer-script URLs for the affected modes and asserts the pinned Tailscale mode does not contain https://tailscale.com/install.sh and does contain sha256sum -c -.
- Counterevidence considered: Code provisioning is only generated when
--code is requested, and Tailscale package install is documented as the current default. The issue is therefore not an automatic compromise of every lease, but it remains in scope because the target policy includes integrity failures in downloaded artifacts/images installed as part of documented default workflows.
- Counterevidence considered: Tailscale supports a pinned mode, but it is opt-in and does not protect the documented default
package mode or the Code installer path.
- Known-not-planned registry checked: no
CBX-NP-* or CBX-DUP-* entry covers unpinned root-executed third-party installer scripts in managed Linux bootstrap.
Suggested regression coverage or verification:
worker/test/bootstrap.test.ts: update Code and default Tailscale bootstrap tests to assert pinned release/checksum/signature verification and absence of curl -fsSL ... | sh pipelines.
- Add a focused test that default Tailscale config either renders pinned install mode or rejects missing checksum metadata before cloud-init generation.
npm test --prefix worker -- bootstrap.test.ts
Remaining uncertainty:
No live installer compromise or runtime MITM proof was attempted during discovery. The finding is based on source-confirmed root execution of unpinned remote installer scripts and the existing tests that lock in that behavior.
[security] Linux bootstrap executes unpinned installer scripts as root
Summary
Managed Linux leases that request Code or default-package Tailscale provisioning execute remote installer scripts as root during cloud-init without pinning the script, release artifact, signature, or checksum. This crosses the target policy's supply-chain integrity boundary for artifacts or images downloaded and installed as part of a documented workflow: a compromised installer endpoint, CDN path, or trusted network response can run arbitrary root commands inside a Crabbox-created lease before the lease is handed to the operator, including on Tailscale-enabled leases that immediately receive a one-off tailnet auth key.
Affected Components
5001cd1179a42c174da65c8e8a87bf16218aef95worker/src/bootstrap.ts:1452-1455worker/src/bootstrap.ts:1475-1495worker/src/bootstrap.ts:1532-1544worker/src/config.ts:267-273worker/src/tailscale.ts:71-80docs/features/tailscale.md:195-199worker/test/bootstrap.test.ts:380-456Attack Path
Attacker role:
provider response / upstream installer distribution compromise
Prerequisites:
--code, or creates a managed Linux lease with--tailscalewhileCRABBOX_TAILSCALE_INSTALL_MODEis unset or set topackage.https://code-server.dev/install.shorhttps://tailscale.com/install.sh, for example through compromise of the upstream distribution path, CDN/account control, or a trusted network component.Steps:
--code, or tailnet enrollment with--tailscale.curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/localfor Code, orcurl -fsSL https://tailscale.com/install.sh | shfor package-mode Tailscale.tailscaledand pipes the short-lived auth key intotailscale up, so compromised install-time code can run in the privileged provisioning context immediately before tailnet enrollment.Expected result:
The attacker gains root code execution inside the managed lease during provisioning, before the operator's workload runs and before the lease is considered ready. On Tailscale-enabled leases, the compromised root context can also interfere with tailnet enrollment or access the ephemeral auth-key flow while the bootstrap is executing.
Control/dataflow:
Impact
This is a supply-chain integrity failure in Crabbox-managed bootstrap. A compromised installer response can modify the managed VM, persist in the operator's development environment, observe files synchronized into the lease, tamper with command results, and interfere with brokered Tailscale enrollment. The impact is confined to the newly provisioned lease rather than the Crabbox coordinator host, but it affects a documented default install path for
--tailscalepackage mode and a documented Code provisioning path for managed Linux leases.Severity Assessment
CVSS Assessment
Recommended Remediation
/usr/local.install.shpipelines.--codeand default--tailscalecontains checksum/signature verification and does not containcurl ... | sh.Validation
Validation method:
source review and existing unit-test inspection
Evidence and counterevidence:
worker/src/bootstrap.ts:1452-1455renders Code bootstrap as a rootcurl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/localpipeline whenconfig.codeis true.worker/src/bootstrap.ts:1475-1478renders Tailscale bootstrap as a rootcurl -fsSL https://tailscale.com/install.sh | shpipeline wheneverconfig.tailscaleInstallMode !== "pinned".worker/src/bootstrap.ts:1479-1495shows a safer pinned Tailscale path already exists: it downloads a versioned tarball, checkssha256sum -c -, and installs the extracted binaries.worker/src/config.ts:267-273setstailscaleInstallMode: "package"in normalized lease config.worker/src/tailscale.ts:71-80maps missingCRABBOX_TAILSCALE_INSTALL_MODEtopackageand only selects pinned mode when the env var explicitly equalspinned.docs/features/tailscale.md:195-199documents package install script mode as the default and pinned static archive mode as an opt-in alternative.worker/test/bootstrap.test.ts:380-456asserts current generated bootstrap contains both unpinned installer-script URLs for the affected modes and asserts the pinned Tailscale mode does not containhttps://tailscale.com/install.shand does containsha256sum -c -.--codeis requested, and Tailscale package install is documented as the current default. The issue is therefore not an automatic compromise of every lease, but it remains in scope because the target policy includes integrity failures in downloaded artifacts/images installed as part of documented default workflows.packagemode or the Code installer path.CBX-NP-*orCBX-DUP-*entry covers unpinned root-executed third-party installer scripts in managed Linux bootstrap.Suggested regression coverage or verification:
worker/test/bootstrap.test.ts: update Code and default Tailscale bootstrap tests to assert pinned release/checksum/signature verification and absence ofcurl -fsSL ... | shpipelines.npm test --prefix worker -- bootstrap.test.tsRemaining uncertainty:
No live installer compromise or runtime MITM proof was attempted during discovery. The finding is based on source-confirmed root execution of unpinned remote installer scripts and the existing tests that lock in that behavior.