Installation script relies on third party docker installation script

[sneak]

Error Message and Logs

The installation script uncritically downloads and executes third party shell scripts as root, exposing the user to supply chain attacks outside of the control of Coolify.

coolify/scripts/install.sh

Line 449 in eb58957

curl -s https://releases.rancher.com/install-docker/${DOCKER_VERSION}.sh | sh 2>&1 || true

The external resources pulled in by, for example, apt-get are checked with PGP signatures. The install script is fetched from the Coolify CDN (or alternately GitHub) via TLS, putting Coolify/Microsoft into a position of trust.

The script then uses that trust to transitively trust releases.rancher.com, giving whoever controls that domain the ability to run commands as root on the user's server. The user didn't really agree to this, they trusted Coolify. You're opening up the user to a much larger attack surface than they signed up for.

When trusted by users with curl https://yourdomain.example.com/install.sh | bash, you have a responsibility to be as careful as possible with their system. That means not running curl https://otherguy.example.com | bash uncritically. The curl | bash idiom is used to save time and hassle for a person doing a manual install, but it's not required in an installation script which can (and should) do things the right way, not the quick/careless way.

Coolify Version

main

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

all

Additional Information

No response

[peaklabs-dev]

The idea is that you trust the Coolify script and CDN because we control them and you can see their code on GitHub whenever you want.

The Rancher script is nothing more than the official Docker install script from Docker https://github.com/docker/docker-install/ and Rancher is a very trusted company so there is no risk of a supply chain attack. We use the Rancher version because it has a very handy script for each version, so we can easily install/upgrade the Docker version https://github.com/rancher/install-docker.

However, we are planning to change our installation process to a GO based install script in the future, which will give us more control and flexibility. We will take this feedback into consideration and we may implement a large part of the script into our own script in the future.