Bug #4930
closed
$prefix/lib/ruby/gems and its subdirs are world writable
Added by sakuro (Sakuro OZAWA) almost 13 years ago.
Updated over 12 years ago.
ruby -v:
ruby 1.9.3dev (2011-06-26 trunk 32231) [x86_64-darwin10.8.0]
[ruby-core:37478]
Description
=begin
$ sudo rm -rf /usr/local/lib/ruby
$ umask
022
$ sudo sh -c umask
0022
$ sudo make install-nodoc
./miniruby -I../lib -I. -I.ext/common ../tool/rbinstall.rb --make="make" --dest-dir="" --extout=".ext" --mflags="" --make-flags="" --data-mode=0644 --prog-mode=0755 --installed-list .installed.list --mantype="doc"
installing binary commands: /usr/local/bin
installing base libraries: /usr/local/lib
installing default gems: /usr/local/lib/ruby/gems/1.9.1 (cache, doc, gems, specifications)
rake 0.9.2
rdoc 3.7
minitest 2.2.2
json 1.5.0
=end
Now let's examine permissions.
=begin
$ ls -l /usr/local/lib/ruby
total 0
drwxr-xr-x 112 root wheel 3808 2011-06-26 18:31 1.9.1
drwxrwxrwx 3 root wheel 102 2011-06-26 18:31 gems
drwxr-xr-x 3 root wheel 102 2011-06-26 18:31 site_ruby
drwxr-xr-x 3 root wheel 102 2011-06-26 18:31 vendor_ruby
$ gfind /usr/local/lib/ruby -type d -perm /022
/usr/local/lib/ruby/gems
/usr/local/lib/ruby/gems/1.9.1
/usr/local/lib/ruby/gems/1.9.1/cache
/usr/local/lib/ruby/gems/1.9.1/doc
/usr/local/lib/ruby/gems/1.9.1/gems
/usr/local/lib/ruby/gems/1.9.1/specifications
=end
I don't think these directories should be writable by anyone.
Files
- Status changed from Open to Assigned
- Assignee set to zenspider (Ryan Davis)
I confirmed this on FreeBSD...
=begin
Patch attached.
Tested on OSX. I'm sorry I don't know how permission stuff works on Windows:)
=end
=begin
Or simply add (({File.umask(022)})) before calling (({Gem.ensure_gem_subdirectories})) in tool/rbinstall.rb.
=end
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r32852.
Sakuro, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
-
lib/rubygems: Import RubyGems 1.8.7:
Added missing require for gem uninstall --format-executable
.
The correct name of the executable being uninstalled is now displayed
with --format-executable.
Fixed `gem unpack uninstalled_gem` default version picker.
RubyGems no longer claims a nonexistent gem can be uninstalled.
`gem which` no longer claims directories are requirable files.
`gem cleanup` continues cleaning up gems if one can't be uninstalled
due to permissions. Issue #82.
Gem repository directories are no longer created world-writable.
Patch by Sakuro OZAWA. [Ruby 1.9 - Bug #4930]
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0