Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > "disallow sticky world writable directory in PATH": Why?

Reply
Thread Tools

"disallow sticky world writable directory in PATH": Why?

 
 
Erik Veenstra
Guest
Posts: n/a
 
      12-04-2005
Found in ChangeLog-1.8.3:

Wed Sep 21 02:44:09 2005 Yukihiro Matsumoto <(E-Mail Removed)>
file.c (path_check_0): disallow sticky world writable directory in PATH (and $LOAD_PATH). [ruby-dev:27226]

Why is this changed in Ruby 1.8.3?

And how can I work around this check? It's annyoing...

I added a simple test below.

Thanks.

gegroet,
Erik V. - http://www.erikveen.dds.nl/

----------------------------------------------------------------

$ cat /tmp/test/test1.rb
ENV

$ cat /tmp/test/test2.rb
ENV["PATH"]

----------------------------------------------------------------

$ useruby182
ruby 1.8.2 (2004-12-24) [i686-linux]

$ PATH=$PATH:/tmp/test ruby /tmp/test/test1.rb

$ PATH=$PATH:/tmp/test ruby /tmp/test/test2.rb

----------------------------------------------------------------

$ useruby183
ruby 1.8.3 (2005-09-21) [i686-linux]

$ PATH=$PATH:/tmp/test ruby /tmp/test/test1.rb

$ PATH=$PATH:/tmp/test ruby /tmp/test/test2.rb
/tmp/test/test2.rb:1: warning: Insecure world writable dir /tmp, mode 041777

----------------------------------------------------------------

 
Reply With Quote
 
 
 
 
ara.t.howard@noaa.gov
Guest
Posts: n/a
 
      12-04-2005
On Mon, 5 Dec 2005, Erik Veenstra wrote:

> Found in ChangeLog-1.8.3:
>
> Wed Sep 21 02:44:09 2005 Yukihiro Matsumoto <(E-Mail Removed)>
> file.c (path_check_0): disallow sticky world writable directory in PATH (and $LOAD_PATH). [ruby-dev:27226]
>
> Why is this changed in Ruby 1.8.3?
>
> And how can I work around this check? It's annyoing...


$VERBOSE = nil

there are a few other annyoing warnings, and some good ones, that this shuts
up. in my opinion the system level and language level warnings should be
controlled differently for this reason. i work in a collaborative laboratory
so you can imagine we have thousands of group writable directories. i can
have every single one of my shared programs spew warnings when run (hardly
confidence inspiring) so i simply must turn $VERBOSE off ;-(


-a
--
================================================== =============================
| ara [dot] t [dot] howard [at] noaa [dot] gov
| all happiness comes from the desire for others to be happy. all misery
| comes from the desire for oneself to be happy.
| -- bodhicaryavatara
================================================== =============================

 
Reply With Quote
 
 
 
 
Erik Veenstra
Guest
Posts: n/a
 
      12-04-2005
> > Found in ChangeLog-1.8.3:
> >
> > Wed Sep 21 02:44:09 2005 Yukihiro Matsumoto <(E-Mail Removed)>
> > file.c (path_check_0): disallow sticky world writable directory in PATH (and $LOAD_PATH). [ruby-dev:27226]
> >
> > Why is this changed in Ruby 1.8.3?
> >
> > And how can I work around this check? It's annyoing...

>
> $VERBOSE = nil


I noticed that the check on ENV["PATH"] is done only once (see
test3). That means that we can turn verbose message off, use
ENV["PATH"] as a dummy statement and turn verbose message back
on (see test4). All other references to ENV["PATH"] are
unchecked. All other messages are still displayed.

Thanks.

gegroet,
Erik V. - http://www.erikveen.dds.nl/

----------------------------------------------------------------

$ ruby -v
ruby 1.8.3 (2005-09-21) [i686-linux]

$ cat /tmp/test/test3.rb
ENV["PATH"]
ENV["PATH"]

$ PATH=$PATH:/tmp/test ruby /tmp/test/test3.rb
/tmp/test/test3.rb:1: warning: Insecure world writable dir /tmp, mode 041777

----------------------------------------------------------------

$ cat /tmp/test/test4.rb
$VERBOSE=nil
ENV["PATH"]
$VERBOSE=true
ENV["PATH"]

$ PATH=$PATH:/tmp/test ruby /tmp/test/test4.rb

----------------------------------------------------------------

 
Reply With Quote
 
Zed A. Shaw
Guest
Posts: n/a
 
      12-04-2005
I didn't write it or have anything to do with it, but it's done because
*anybody* can inject Ruby code into your program. I really can't think
of a valid reason why you'd put a library file into such a directory
and include that directory in your PATH.

Looking at your examples below you've basically opened the
gates of hell by putting /tmp in your PATH. Simply don't do this.

I mean seriously, you can't be bothered to create a new directory for
your stuff that only you own? And, if the file needs to be shared, why
aren't you installing it properly in the ruby library standard way?
If it is a situation where you don't have control of the system
and need to install for a group of people, then I suggest you find the
sysadmin and beat him until he agrees to install your stuff. Tell him
to setup sudo such that you can at least run gem and your problems are
solved.

Finally, if you absolutely *must* share a PATH directory with other
people then at least be smart: get a group created and set the
directory writable *only* by this group, not the whole world.

Anyway, the way you're doing things is going to cause you major
problems.

Zed A. Shaw
http://www.zedshaw.com/


On Mon, 5 Dec 2005 00:47:32 +0900
Erik Veenstra <(E-Mail Removed)> wrote:

> Found in ChangeLog-1.8.3:
>
> Wed Sep 21 02:44:09 2005 Yukihiro Matsumoto <(E-Mail Removed)>
> file.c (path_check_0): disallow sticky world writable directory in
> PATH (and $LOAD_PATH). [ruby-dev:27226]
>
> Why is this changed in Ruby 1.8.3?
>
> And how can I work around this check? It's annyoing...
>
> I added a simple test below.
>
> Thanks.
>
> gegroet,
> Erik V. - http://www.erikveen.dds.nl/
>
> ----------------------------------------------------------------
>
> $ cat /tmp/test/test1.rb
> ENV
>
> $ cat /tmp/test/test2.rb
> ENV["PATH"]
>
> ----------------------------------------------------------------
>
> $ useruby182
> ruby 1.8.2 (2004-12-24) [i686-linux]
>
> $ PATH=$PATH:/tmp/test ruby /tmp/test/test1.rb
>
> $ PATH=$PATH:/tmp/test ruby /tmp/test/test2.rb
>
> ----------------------------------------------------------------
>
> $ useruby183
> ruby 1.8.3 (2005-09-21) [i686-linux]
>
> $ PATH=$PATH:/tmp/test ruby /tmp/test/test1.rb
>
> $ PATH=$PATH:/tmp/test ruby /tmp/test/test2.rb
> /tmp/test/test2.rb:1: warning: Insecure world writable dir /tmp,
> mode 041777
>
> ----------------------------------------------------------------
>
>



 
Reply With Quote
 
Erik Veenstra
Guest
Posts: n/a
 
      12-04-2005
> I didn't write it or have anything to do with it, but it's
> done because *anybody* can inject Ruby code into your
> program.


If /tmp is a sticky directory (it is) and /tmp/$APP.$$.tmp is
owned by me (it is) and I'm the only person able to add or
alter files in it (I am), how can somebody else, let alone
*anybody*, inject Ruby code in my application?

I logged on as a different user and tried to corrupt, move,
delete and alter the temporary tree of a running application. I
couldn't.

> I really can't think of a valid reason why you'd put a
> library file into such a directory and include that directory
> in your PATH.


But I can... If you create temporary files in your application,
you can use /tmp. Well, you *should* use /tmp. It's invented
for exactly that. Even when it is a temporary library file or
an embedded application which is extracted to /tmp/$APP.$$.tmp.

> Looking at your examples below you've basically opened the
> gates of hell by putting /tmp in your PATH. Simply don't do
> this.


Did I say that I added /tmp in my path? I didn't add /tmp in my
path. Though I did add /tmp/$APP.$$.tmp/bin in my path. But
that directory is owned by me and /tmp is very sticky. What's
the problem?

(I skipped the rest of your message, which was based on
assumptions...)

> Anyway, the way you're doing things is going to cause you
> major problems.


If so, please explain.

Thanks.

gegroet,
Erik V. - http://www.erikveen.dds.nl/

 
Reply With Quote
 
Yukihiro Matsumoto
Guest
Posts: n/a
 
      12-05-2005
Hi,

In message "Re: "disallow sticky world writable directory in PATH": Why?"
on Mon, 5 Dec 2005 00:47:32 +0900, Erik Veenstra <(E-Mail Removed)> writes:

| Wed Sep 21 02:44:09 2005 Yukihiro Matsumoto <(E-Mail Removed)>
| file.c (path_check_0): disallow sticky world writable directory in PATH (and $LOAD_PATH). [ruby-dev:27226]
|
|Why is this changed in Ruby 1.8.3?
|And how can I work around this check? It's annyoing...

Warning condition may be too loose. Let me re-consider, although it's
bit too late for 1.8.4 which is scheduled for Christmas.

matz.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"insecure world writable" fix ? Sean Harre Ruby 7 09-01-2009 07:45 AM
Home directory not seen as writable in Vista David Sudlow Perl Misc 10 08-03-2007 03:20 PM
PERL can't open file for logging (world writable directory Windows XP Home/ Active Perl / Apache) PGPS Perl Misc 10 11-14-2006 01:40 AM
How to suppress World Writable message Jim Freeze Ruby 3 02-17-2004 02:26 PM
Message "Insecure world writable dir ..." Harry Ohlsen Ruby 18 11-27-2003 09:20 AM



Advertisments