Project

General

Profile

Actions
Copy link

Bug #4930

closed

$prefix/lib/ruby/gems and its subdirs are world writable

Added by sakuro (Sakuro OZAWA) almost 13 years ago. Updated over 12 years ago.

Status:
Closed
Assignee:
zenspider (Ryan Davis)
Target version:
-
ruby -v:
ruby 1.9.3dev (2011-06-26 trunk 32231) [x86_64-darwin10.8.0]
Backport:
[ruby-core:37478]

Description

=begin
$ sudo rm -rf /usr/local/lib/ruby
$ umask
022
$ sudo sh -c umask
0022
$ sudo make install-nodoc
./miniruby -I../lib -I. -I.ext/common ../tool/rbinstall.rb --make="make" --dest-dir="" --extout=".ext" --mflags="" --make-flags="" --data-mode=0644 --prog-mode=0755 --installed-list .installed.list --mantype="doc"
installing binary commands: /usr/local/bin
installing base libraries: /usr/local/lib

installing default gems: /usr/local/lib/ruby/gems/1.9.1 (cache, doc, gems, specifications)
rake 0.9.2
rdoc 3.7
minitest 2.2.2
json 1.5.0
=end

Now let's examine permissions.

=begin
$ ls -l /usr/local/lib/ruby
total 0
drwxr-xr-x 112 root wheel 3808 2011-06-26 18:31 1.9.1
drwxrwxrwx 3 root wheel 102 2011-06-26 18:31 gems
drwxr-xr-x 3 root wheel 102 2011-06-26 18:31 site_ruby
drwxr-xr-x 3 root wheel 102 2011-06-26 18:31 vendor_ruby
$ gfind /usr/local/lib/ruby -type d -perm /022
/usr/local/lib/ruby/gems
/usr/local/lib/ruby/gems/1.9.1
/usr/local/lib/ruby/gems/1.9.1/cache
/usr/local/lib/ruby/gems/1.9.1/doc
/usr/local/lib/ruby/gems/1.9.1/gems
/usr/local/lib/ruby/gems/1.9.1/specifications
=end

I don't think these directories should be writable by anyone.

Files

issue4930.patch (1.38 KB) issue4930.patch add go+w flags(022) to the file creation mask sakuro (Sakuro OZAWA), 06/27/2011 01:31 AM
Actions
Copy link
 #1 [ruby-core:37508]

Updated by naruse (Yui NARUSE) almost 13 years ago

  • Status changed from Open to Assigned
  • Assignee set to zenspider (Ryan Davis)
Actions
Copy link
 #2 [ruby-core:37509]

Updated by naruse (Yui NARUSE) almost 13 years ago

I confirmed this on FreeBSD...

Actions
Copy link
 #3 [ruby-core:37538]

Updated by sakuro (Sakuro OZAWA) almost 13 years ago

=begin
Patch attached.

Tested on OSX. I'm sorry I don't know how permission stuff works on Windows:)
=end

Actions
Copy link
 #4 [ruby-core:37541]

Updated by sakuro (Sakuro OZAWA) almost 13 years ago

=begin
Or simply add (({File.umask(022)})) before calling (({Gem.ensure_gem_subdirectories})) in tool/rbinstall.rb.
=end

Actions
Copy link
 #5

Updated by drbrain (Eric Hodel) over 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r32852.
Sakuro, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

  • lib/rubygems: Import RubyGems 1.8.7:
    Added missing require for gem uninstall --format-executable.

    The correct name of the executable being uninstalled is now displayed
with --format-executable.

Fixed `gem unpack uninstalled_gem` default version picker.

RubyGems no longer claims a nonexistent gem can be uninstalled.

`gem which` no longer claims directories are requirable files.

`gem cleanup` continues cleaning up gems if one can't be uninstalled
due to permissions.  Issue #82.

Gem repository directories are no longer created world-writable.
Patch by Sakuro OZAWA.  [Ruby 1.9 - Bug #4930]
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0