When I exec another program from inside Ruby, I get this warning:
“warning: Insecure world writable dir /tmp, mode 041777”
Here’s /tmp
drwxrwxrwt 17 root root 4096 Aug 31 13:16 /tmp/
Any ideas? It’s sort of annoying. I thought /tmp had to be world
writable.
Joe
On Fri, 1 Sep 2006, Joe Van D. wrote:
When I exec another program from inside Ruby, I get this warning:
“warning: Insecure world writable dir /tmp, mode 041777”Here’s /tmp
drwxrwxrwt 17 root root 4096 Aug 31 13:16 /tmp/Any ideas? It’s sort of annoying. I thought /tmp had to be world writable.
Joe
it’s very annoying.
$VERBOSE=nil
-a
Hi,
In message “Re: Insecure word writable dir?”
on Fri, 1 Sep 2006 05:18:32 +0900, “Joe Van D.”
[email protected] writes:
|When I exec another program from inside Ruby, I get this warning:
|“warning: Insecure world writable dir /tmp, mode 041777”
|
|Here’s /tmp
|drwxrwxrwt 17 root root 4096 Aug 31 13:16 /tmp/
|
|Any ideas? It’s sort of annoying. I thought /tmp had to be world writable.
That means you have world writable directory in your load path ($PATH)
when you call external program (probably by using “system”). If you
know what you are doing, you can shut the warning up by
$VERBOSE=nil
as Ara told in [ruby-talk:211832].
matz.
On Aug 31, 2006, at 6:17 PM, Yukihiro M. wrote:
|Any ideas? It’s sort of annoying. I thought /tmp had to be world
writable.That means you have world writable directory in your load path ($PATH)
when you call external program (probably by using “system”). If you
know what you are doing, you can shut the warning up by$VERBOSE=nil
as Ara told in [ruby-talk:211832].
RCS file: /src/ruby/file.c,v
retrieving revision 1.246
diff -p -u -r1.246 file.c
— file.c 31 Aug 2006 11:24:44 -0000 1.246
+++ file.c 1 Sep 2006 05:09:38 -0000
@@ -4073,7 +4073,7 @@ path_check_0(VALUE path, int loadpath)
&& (loadpath || !(st.st_mode & S_ISVTX))
#endif
&& !access(p0, W_OK)) {
rb_warn("Insecure world writable dir %s, mode 0%o", p0,
st.st_mode);
rb_warn("Insecure world writable dir %s, mode 0%o in
$LOAD_PATH", p0, st.st_mode);
if (p) *p = ‘/’;
return 0;
}
–
Eric H. - [email protected] - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
Hi,
In message “Re: Insecure word writable dir?”
on Fri, 1 Sep 2006 14:11:45 +0900, Eric H. [email protected]
writes:
|- rb_warn(“Insecure world writable dir %s, mode 0%o”, p0, st.st_mode);
|
|+ rb_warn(“Insecure world writable dir %s, mode 0%o in $LOAD_PATH”, p0, st.st_mode);
It’s better, but this warning can be caused by both $PATH and
$LOAD_PATH, and currently has no clue to distinguish in this function.
matz.
Hi,
At Fri, 1 Sep 2006 17:15:49 +0900,
Yukihiro M. wrote in [ruby-talk:211948]:
It’s better, but this warning can be caused by both $PATH and
$LOAD_PATH, and currently has no clue to distinguish in this function.
I guess fpath_check() to be check for LOAD_PATH but not for
PATH. Though I’ not sure rb_loadpath_check() is really
necessary, when the required file is found in safe path.
RCS file: /cvs/ruby/src/ruby/file.c,v
retrieving revision 1.246
diff -p -u -2 -r1.246 file.c
— file.c 31 Aug 2006 11:24:44 -0000 1.246
+++ file.c 2 Sep 2006 06:51:28 -0000
@@ -4074,5 +4074,6 @@ path_check_0(VALUE path, int loadpath)
#endif
&& !access(p0, W_OK)) {
rb_warn("Insecure world writable dir %s, mode 0%o", p0,
st.st_mode);
rb_warn("Insecure world writable dir %s, mode 0%o in %s",
p0, st.st_mode, loadpath ? "$LOAD_PATH" : "PATH");
if (p) *p = '/';
return 0;
@@ -4091,5 +4092,5 @@ fpath_check(const char *path)
{
#ifndef DOSISH
-int
-rb_path_check(const char *path)
+static int
+rb_pathlist_check(const char *path, int loadpath)
{
#ifndef DOSISH
@@ -4112,5 +4113,5 @@ rb_path_check(const char *path)
for (;;) {
+int
+rb_path_check(const char *path)
+{
+int
+rb_loadpath_check(const char *path)
+{
#if defined(MACOS) || defined(riscos)
static int
@@ -4203,6 +4216,8 @@ rb_find_file(VALUE path)
if (f[0] == '~') {
(void)prevent_from_gc;
rb_raise(rb_eSecurityError, "loading from unsafe path %s", f);
if (rb_safe_level() >= 1 && !rb_path_check(lpath)) {
+#if 0
if (rb_safe_level() >= 1 && !rb_loadpath_check(lpath)) {
rb_raise(rb_eSecurityError, "loading from unsafe path %s", lpath);
}
RCS file: /cvs/ruby/src/ruby/intern.h,v
retrieving revision 1.199
diff -p -u -2 -r1.199 intern.h
— intern.h 31 Aug 2006 08:24:36 -0000 1.199
+++ intern.h 2 Sep 2006 06:48:03 -0000
@@ -326,4 +326,5 @@ VALUE rb_hash_delete_if(VALUE);
VALUE rb_hash_delete(VALUE,VALUE);
int rb_path_check(const char*);
+int rb_loadpath_check(const char*);
int rb_env_path_tainted(void);
/* io.c */
On Thu, 7 Sep 2006, Ryan D. wrote:
said, on my mac mini, where all user directories are on a separate disk, I
the warning is irrelevant to the actual code being executed, my pwd, or much
of anything else.$VERBOSE is valuable, very valuable… could we perhaps move this warning to
$DEBUG or only if $SAFE is set or something?
i second that. it’s the only reason i don’t use $VERBOSE too.
-a
Hi,
In message “Re: Insecure word writable dir?”
on Thu, 7 Sep 2006 05:18:34 +0900, [email protected] writes:
|> $VERBOSE is valuable, very valuable… could we perhaps move this warning to
|> $DEBUG or only if $SAFE is set or something?
|
|i second that. it’s the only reason i don’t use $VERBOSE too.
We’ve changed the condition. World writable parent directories would
not cause warnings if they have sticky bits set. I am not sure if it
works on Windows as well.
matz.On Aug 31, 2006, at 6:17 PM, Yukihiro M. wrote:
That means you have world writable directory in your load path ($PATH)
when you call external program (probably by using “system”). If you
know what you are doing, you can shut the warning up by$VERBOSE=nil
I like $VERBOSE and run it with everything but rails (because:
ugh). That said, on my mac mini, where all user directories are on a
separate disk, I get this warning constantly because of the
automounter directory /Volumes
% pwd
/Volumes/Users/ryan/
% ls -lad /Volumes/
drwxrwxrwt 6 root admin 204 Aug 27 20:44 /Volumes/
% cd /tmp; ruby -we ‘/bin/ls’
-e:1: warning: Insecure world writable dir /Volumes, mode 041777
this is because my PATH has /Volumes/Users/ryan/Bin but as you can
see above, the warning is irrelevant to the actual code being
executed, my pwd, or much of anything else. 
$VERBOSE is valuable, very valuable… could we perhaps move this
warning to $DEBUG or only if $SAFE is set or something?
Hi,
In message “Re: Insecure word writable dir?”
on Thu, 7 Sep 2006 14:14:38 +0900, “Nobuyoshi N.”
[email protected] writes:
|The check is disabled on Windows.
|
|I guess it should be disabled on Cygwin too.
Please commit.
matz.
Hi,
At Thu, 7 Sep 2006 08:08:29 +0900,
Yukihiro M. wrote in [ruby-talk:213041]:
We’ve changed the condition. World writable parent directories would
not cause warnings if they have sticky bits set. I am not sure if it
works on Windows as well.
The check is disabled on Windows.
I guess it should be disabled on Cygwin too.
RCS file: /home/K8052/cvs/ruby/file.c,v
retrieving revision 1.248
diff -U 2 -p -u -r1.248 file.c
— file.c 4 Sep 2006 20:49:52 -0000 1.248
+++ file.c 5 Sep 2006 08:43:05 -0000
@@ -4045,5 +4045,13 @@ is_absolute_path(const char *path)
}
-#ifndef DOSISH
+#ifndef ENABLE_PATH_CHECK
+# if defined DOSISH || defined CYGWIN
+# define ENABLE_PATH_CHECK 0
+# else
+# define ENABLE_PATH_CHECK 1
+# endif
+#endif
+
+#if ENABLE_PATH_CHECK
static int
path_check_0(VALUE path, int execpath)
@@ -4090,5 +4098,5 @@ static int
fpath_check(const char *path)
{
-#ifndef DOSISH
+#if ENABLE_PATH_CHECK
return path_check_0(rb_str_new2(path), Qfalse);
#else
@@ -4100,5 +4108,5 @@ int
rb_path_check(const char *path)
{
-#ifndef DOSISH
+#if ENABLE_PATH_CHECK
const char *p0, *p, *pend;
const char sep = PATH_SEP_CHAR;
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs