Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > Anyone knows this warning?

Reply
Thread Tools

Anyone knows this warning?

 
 
Zhao Yi
Guest
Posts: n/a
 
      01-06-2009
When my ruby runs an external program, it will get this warning:
warning: Insecure world writable dir SOMEDIR

I have checked the SOMEDIR and its permission mode is 777. Does anyone
know this warning? How can I avoid this?

thanks
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Brian Candler
Guest
Posts: n/a
 
      01-06-2009
Zhao Yi wrote:
> When my ruby runs an external program, it will get this warning:
> warning: Insecure world writable dir SOMEDIR
>
> I have checked the SOMEDIR and its permission mode is 777.


Which means it's world-writable, as the warning says. In octal:

7 7 7
111 111 111
rwx rwx rwx (user, group, world)

The warning comes from path_check_0 in file.c, which in turn is called
from rb_path_check, which checks each of the directories in your PATH.

It's basically saying: when you do system("foo"), one of your PATH
directories is world writable, so any random user on your system could
have installed their own "foo" executable which does whatever they like
(e.g. changing your password, or mailing your pr0n collection to your
girlfriend

> How can I avoid this?


man chmod
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Zhao Yi
Guest
Posts: n/a
 
      01-06-2009
Brian Candler wrote:
>
> Which means it's world-writable, as the warning says. In octal:
>
> 7 7 7
> 111 111 111
> rwx rwx rwx (user, group, world)
>
> man chmod


why does ruby check its permission? I do want this path writable. how
can I disable this warning?
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Brian Candler
Guest
Posts: n/a
 
      01-06-2009
Zhao Yi wrote:
> why does ruby check its permission?


Because not heeding this warning is approximately the same as posting
your password in clear text to all users on the system.

Even if you have no other users on your system, if someone happens to
break in (e.g. through your web server or mail server), and gets a shell
running as any daemon user, they can exploit this hole to run any script
as *your* userid.

> I do want this path writable. how
> can I disable this warning?


I already pointed you at file.c. You will find a #if check in there,
which lets you recompile ruby with this check disabled.

I'm not going to hint further. If you are smart enough to understand
fully the consequences of disabling this check, then you a smart enough
to read the configure script and recompile ruby with this check
disabled.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
David Rio Deiros
Guest
Posts: n/a
 
      01-07-2009
On Tue 6.Jan'09 at 18:14:05 +0900, Zhao Yi wrote:
> Brian Candler wrote:
> >
> > Which means it's world-writable, as the warning says. In octal:
> >
> > 7 7 7
> > 111 111 111
> > rwx rwx rwx (user, group, world)
> >
> > man chmod

>
> why does ruby check its permission?


Why not? Ruby is letting you know that something bad can happen.

> I do want this path writable. how can I disable this warning?


ruby -W0 /path/to/your_script

-drd

 
Reply With Quote
 
Tim Greer
Guest
Posts: n/a
 
      01-07-2009
Zhao Yi wrote:

> When my ruby runs an external program, it will get this warning:
> warning: Insecure world writable dir SOMEDIR
>
> I have checked the SOMEDIR and its permission mode is 777. Does anyone
> know this warning? How can I avoid this?
>
> thanks


World read, write and execute is a bad thing if you're on a shared
server with other users. Any good system will error and prevent it
from running, instead of blindling running it. Else you risk issues
where another user on the system can write to your files/directories,
destroy, modify or delete your valuable data, as well as open
exploitable potentials. If this is your own server and you don't share
it with any other users (or other users you can't trust), then you can
remove that check if you wish. Still, even when running with a lower
privileged user instead of your own for better protection (if you run
insecure scripts or you aren't able to ensure they are secure), it
still shouldn't need world write/execute.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
 
Reply With Quote
 
Ryan Masters
Guest
Posts: n/a
 
      01-07-2009
Zhao Yi wrote:
> When my ruby runs an external program, it will get this warning:
> warning: Insecure world writable dir SOMEDIR
>
> I have checked the SOMEDIR and its permission mode is 777. Does anyone
> know this warning? How can I avoid this?
>
> thanks


I understand that you want this directory to be world-writable, so this
is probably not much use for your current situation, but handy to know
nonetheless. You may want to configure a group, see /etc/groups, man
groups, or man chgrp instead of having it be world-writable.

With that aside, there are two ways to modify the permissions for files
and directories. In essence, it's by name or by number. Using the names
is better when beginning. See man chmod for more details.

Basically, you can use the syntax 'chmod <which_access_level><+ or
-><which_access_type>'.

<which_access_level> would be one of the following {a,u,g,o} where a is
all (user group and other), u is user, g is group, and o is other
(typically everyone else).

<+ or -> is a boolean true or false for turning on or off the permission.

<which_access_type> would be {r,w,x} where r is read, w is write, and x
is execute.

So for example, if you wanted to remove the read ability for everyone
except the user and group, you would use:

chmod o-r test-file.txt

You can group them as well, so the following is valid for adding write
ability for the user and group:

chmod ug+r test-file.txt

The a for access level is a shortcut for all three. So to remove all
types ability to execute a file:

chmod a-x test-file.txt

Also, you will probably want to check into man chown for how to change
the user attribute for a specific file or set.

Hope that helps.

Best regards,
Ryan Masters
End Point Corp.
http://www.velocityreviews.com/forums/(E-Mail Removed)


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anyone knows of a good JScript.NET code editor Karl Seguin ASP .Net 3 10-25-2004 04:01 PM
Anyone knows free RichTextEditor or HtmlEditor for ASP.Net? sincethe2003 ASP .Net 6 07-19-2004 06:46 AM
Re: Does anyone knows Ctec Academy? pkspence MCSD 1 05-11-2004 06:10 AM
Re: Does anyone knows Ctec Academy? ktavera MCSD 3 05-05-2004 08:45 PM
sometimes clients get : viewstate invalid error , anyone knows why ? Ersin Gençtürk ASP .Net 4 06-30-2003 07:12 AM



Advertisments