Skip to content

[security] Linux bootstrap executes unpinned installer scripts as root #715

Description

@coygeek

[security] Linux bootstrap executes unpinned installer scripts as root

Summary

Managed Linux leases that request Code or default-package Tailscale provisioning execute remote installer scripts as root during cloud-init without pinning the script, release artifact, signature, or checksum. This crosses the target policy's supply-chain integrity boundary for artifacts or images downloaded and installed as part of a documented workflow: a compromised installer endpoint, CDN path, or trusted network response can run arbitrary root commands inside a Crabbox-created lease before the lease is handed to the operator, including on Tailscale-enabled leases that immediately receive a one-off tailnet auth key.

Affected Components

  • Checked commit: 5001cd1179a42c174da65c8e8a87bf16218aef95
  • Component: worker bootstrap / managed Linux provisioning
  • Affected files and lines:
    • worker/src/bootstrap.ts:1452-1455
    • worker/src/bootstrap.ts:1475-1495
    • worker/src/bootstrap.ts:1532-1544
    • worker/src/config.ts:267-273
    • worker/src/tailscale.ts:71-80
    • docs/features/tailscale.md:195-199
    • worker/test/bootstrap.test.ts:380-456

Attack Path

Attacker role:

provider response / upstream installer distribution compromise

Prerequisites:

  • A Crabbox operator creates a managed Linux lease with --code, or creates a managed Linux lease with --tailscale while CRABBOX_TAILSCALE_INSTALL_MODE is unset or set to package.
  • The attacker can influence the remote installer script response from https://code-server.dev/install.sh or https://tailscale.com/install.sh, for example through compromise of the upstream distribution path, CDN/account control, or a trusted network component.

Steps:

  1. The operator requests a documented managed Linux workflow: Code provisioning with --code, or tailnet enrollment with --tailscale.
  2. The Worker renders cloud-init that runs curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/local for Code, or curl -fsSL https://tailscale.com/install.sh | sh for package-mode Tailscale.
  3. The cloud-init script executes the fetched script as root before any local checksum, release version, signature, or pinned artifact validation occurs.
  4. For Tailscale leases, the same bootstrap path then starts tailscaled and pipes the short-lived auth key into tailscale up, so compromised install-time code can run in the privileged provisioning context immediately before tailnet enrollment.

Expected result:

The attacker gains root code execution inside the managed lease during provisioning, before the operator's workload runs and before the lease is considered ready. On Tailscale-enabled leases, the compromised root context can also interfere with tailnet enrollment or access the ephemeral auth-key flow while the bootstrap is executing.

Control/dataflow:

remote installer endpoint response
  -> cloud-init generated by worker/src/bootstrap.ts
  -> root shell pipeline without pinned version/checksum/signature validation
  -> managed Linux lease provisioning
  -> root code execution and possible tailnet enrollment interference

Impact

This is a supply-chain integrity failure in Crabbox-managed bootstrap. A compromised installer response can modify the managed VM, persist in the operator's development environment, observe files synchronized into the lease, tamper with command results, and interfere with brokered Tailscale enrollment. The impact is confined to the newly provisioned lease rather than the Crabbox coordinator host, but it affects a documented default install path for --tailscale package mode and a documented Code provisioning path for managed Linux leases.

Severity Assessment

CVSS Assessment

Metric v3.1 v4.0
Score 7.5 / 10.0 7.5 / 10.0
Severity High High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Calculator CVSS v3.1 Calculator CVSS v4.0 Calculator

Recommended Remediation

  • Do not pipe unauthenticated remote installer scripts directly into a root shell in generated cloud-init.
  • Make the existing pinned Tailscale static archive mode the default for managed Linux leases, or require package installation through an explicitly pinned, signed package repository bootstrap whose signing key fingerprint and repository metadata are verified before installation.
  • Replace Code provisioning with a pinned code-server release artifact or package repository flow that validates version and checksum/signature before installing into /usr/local.
  • Fail lease creation when required pinned version/checksum metadata is unavailable, rather than silently falling back to install.sh pipelines.
  • Add tests that assert generated cloud-init for --code and default --tailscale contains checksum/signature verification and does not contain curl ... | sh.

Validation

Validation method:

source review and existing unit-test inspection

Evidence and counterevidence:

  • worker/src/bootstrap.ts:1452-1455 renders Code bootstrap as a root curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/usr/local pipeline when config.code is true.
  • worker/src/bootstrap.ts:1475-1478 renders Tailscale bootstrap as a root curl -fsSL https://tailscale.com/install.sh | sh pipeline whenever config.tailscaleInstallMode !== "pinned".
  • worker/src/bootstrap.ts:1479-1495 shows a safer pinned Tailscale path already exists: it downloads a versioned tarball, checks sha256sum -c -, and installs the extracted binaries.
  • worker/src/config.ts:267-273 sets tailscaleInstallMode: "package" in normalized lease config.
  • worker/src/tailscale.ts:71-80 maps missing CRABBOX_TAILSCALE_INSTALL_MODE to package and only selects pinned mode when the env var explicitly equals pinned.
  • docs/features/tailscale.md:195-199 documents package install script mode as the default and pinned static archive mode as an opt-in alternative.
  • worker/test/bootstrap.test.ts:380-456 asserts current generated bootstrap contains both unpinned installer-script URLs for the affected modes and asserts the pinned Tailscale mode does not contain https://tailscale.com/install.sh and does contain sha256sum -c -.
  • Counterevidence considered: Code provisioning is only generated when --code is requested, and Tailscale package install is documented as the current default. The issue is therefore not an automatic compromise of every lease, but it remains in scope because the target policy includes integrity failures in downloaded artifacts/images installed as part of documented default workflows.
  • Counterevidence considered: Tailscale supports a pinned mode, but it is opt-in and does not protect the documented default package mode or the Code installer path.
  • Known-not-planned registry checked: no CBX-NP-* or CBX-DUP-* entry covers unpinned root-executed third-party installer scripts in managed Linux bootstrap.

Suggested regression coverage or verification:

  • worker/test/bootstrap.test.ts: update Code and default Tailscale bootstrap tests to assert pinned release/checksum/signature verification and absence of curl -fsSL ... | sh pipelines.
  • Add a focused test that default Tailscale config either renders pinned install mode or rejects missing checksum metadata before cloud-init generation.
npm test --prefix worker -- bootstrap.test.ts

Remaining uncertainty:

No live installer compromise or runtime MITM proof was attempted during discovery. The finding is based on source-confirmed root execution of unpinned remote installer scripts and the existing tests that lock in that behavior.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Urgent regression or broken agent/channel workflow affecting real users now.clawsweeper:linked-pr-openClawSweeper found an open linked pull request for this issue.clawsweeper:needs-product-decisionClawSweeper marked this issue as needing a product or behavior decision.clawsweeper:needs-security-reviewClawSweeper marked this issue as needing security-sensitive review.clawsweeper:no-new-fix-prClawSweeper does not recommend queueing a new automated fix PR for this issue.clawsweeper:source-reproClawSweeper found a high-confidence source-level issue reproduction.impact:securityThis issue is about security boundaries, credentials, authz, sandboxing, or sensitive data.issue-rating: 🦞 diamond lobsterVery strong issue quality with high-confidence source-level or clear reproduction.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions