Forum: Ruby Insecure word writable dir?

When I exec another program from inside Ruby, I get this warning:
"warning: Insecure world writable dir /tmp, mode 041777"

Here's /tmp
drwxrwxrwt   17 root     root         4096 Aug 31 13:16 /tmp/

Any ideas?  It's sort of annoying.  I thought /tmp had to be world 
writable.

Joe

On Fri, 1 Sep 2006, Joe Van Dyk wrote:

> When I exec another program from inside Ruby, I get this warning:
> "warning: Insecure world writable dir /tmp, mode 041777"
>
> Here's /tmp
> drwxrwxrwt   17 root     root         4096 Aug 31 13:16 /tmp/
>
> Any ideas?  It's sort of annoying.  I thought /tmp had to be world writable.
>
> Joe

it's very annoying.

$VERBOSE=nil

-a

Hi,

In message "Re: Insecure word writable dir?"
    on Fri, 1 Sep 2006 05:18:32 +0900, "Joe Van Dyk" 
<joevandyk@gmail.com> writes:

|When I exec another program from inside Ruby, I get this warning:
|"warning: Insecure world writable dir /tmp, mode 041777"
|
|Here's /tmp
|drwxrwxrwt   17 root     root         4096 Aug 31 13:16 /tmp/
|
|Any ideas?  It's sort of annoying.  I thought /tmp had to be world writable.

That means you have world writable directory in your load path ($PATH)
when you call external program (probably by using "system").  If you
know what you are doing, you can shut the warning up by

$VERBOSE=nil

as Ara told in [ruby-talk:211832].

							matz.

On Aug 31, 2006, at 6:17 PM, Yukihiro Matsumoto wrote:

> |Any ideas?  It's sort of annoying.  I thought /tmp had to be world  
> writable.
>
> That means you have world writable directory in your load path ($PATH)
> when you call external program (probably by using "system").  If you
> know what you are doing, you can shut the warning up by
>
> $VERBOSE=nil
>
> as Ara told in [ruby-talk:211832].

Index: file.c
===================================================================
RCS file: /src/ruby/file.c,v
retrieving revision 1.246
diff -p -u -r1.246 file.c
--- file.c      31 Aug 2006 11:24:44 -0000      1.246
+++ file.c      1 Sep 2006 05:09:38 -0000
@@ -4073,7 +4073,7 @@ path_check_0(VALUE path, int loadpath)
             && (loadpath || !(st.st_mode & S_ISVTX))
#endif
             && !access(p0, W_OK)) {
-           rb_warn("Insecure world writable dir %s, mode 0%o", p0,
st.st_mode);
+           rb_warn("Insecure world writable dir %s, mode 0%o in
$LOAD_PATH", p0, st.st_mode);
             if (p) *p = '/';
             return 0;
         }


--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

Hi,

In message "Re: Insecure word writable dir?"
    on Fri, 1 Sep 2006 14:11:45 +0900, Eric Hodel <drbrain@segment7.net> 
writes:

|-           rb_warn("Insecure world writable dir %s, mode 0%o", p0, st.st_mode);
|
|+           rb_warn("Insecure world writable dir %s, mode 0%o in $LOAD_PATH", p0, st.st_mode);

It's better, but this warning can be caused by both $PATH and
$LOAD_PATH, and currently has no clue to distinguish in this function.

							matz.

Hi,

At Fri, 1 Sep 2006 17:15:49 +0900,
Yukihiro Matsumoto wrote in [ruby-talk:211948]:
> It's better, but this warning can be caused by both $PATH and
> $LOAD_PATH, and currently has no clue to distinguish in this function.

I guess fpath_check() to be check for LOAD_PATH but not for
PATH.  Though I' not sure rb_loadpath_check() is really
necessary, when the required file is found in safe path.


Index: file.c
===================================================================
RCS file: /cvs/ruby/src/ruby/file.c,v
retrieving revision 1.246
diff -p -u -2 -r1.246 file.c
--- file.c	31 Aug 2006 11:24:44 -0000	1.246
+++ file.c	2 Sep 2006 06:51:28 -0000
@@ -4074,5 +4074,6 @@ path_check_0(VALUE path, int loadpath)
 #endif
 	    && !access(p0, W_OK)) {
-	    rb_warn("Insecure world writable dir %s, mode 0%o", p0, 
st.st_mode);
+	    rb_warn("Insecure world writable dir %s, mode 0%o in %s",
+		    p0, st.st_mode, loadpath ? "$LOAD_PATH" : "PATH");
 	    if (p) *p = '/';
 	    return 0;
@@ -4091,5 +4092,5 @@ fpath_check(const char *path)
 {
 #ifndef DOSISH
-    return path_check_0(rb_str_new2(path), Qfalse);
+    return path_check_0(rb_str_new2(path), Qtrue);
 #else
     return 1;
@@ -4097,6 +4098,6 @@ fpath_check(const char *path)
 }

-int
-rb_path_check(const char *path)
+static int
+rb_pathlist_check(const char *path, int loadpath)
 {
 #ifndef DOSISH
@@ -4112,5 +4113,5 @@ rb_path_check(const char *path)

     for (;;) {
-	if (!path_check_0(rb_str_new(p0, p - p0), Qtrue)) {
+	if (!path_check_0(rb_str_new(p0, p - p0), loadpath)) {
 	    return 0;		/* not safe */
 	}
@@ -4124,4 +4125,16 @@ rb_path_check(const char *path)
 }

+int
+rb_path_check(const char *path)
+{
+    return rb_pathlist_check(path, Qfalse);
+}
+
+int
+rb_loadpath_check(const char *path)
+{
+    return rb_pathlist_check(path, Qtrue);
+}
+
 #if defined(__MACOS__) || defined(riscos)
 static int
@@ -4203,6 +4216,8 @@ rb_find_file(VALUE path)

     if (f[0] == '~') {
+	volatile VALUE prevent_from_gc = path;
 	path = rb_file_expand_path(path, Qnil);
 	if (rb_safe_level() >= 1 && OBJ_TAINTED(path)) {
+	    (void)prevent_from_gc;
 	    rb_raise(rb_eSecurityError, "loading from unsafe path %s", f);
 	}
@@ -4249,7 +4264,9 @@ rb_find_file(VALUE path)
 	else {
 	    lpath = RSTRING_PTR(tmp);
-	    if (rb_safe_level() >= 1 && !rb_path_check(lpath)) {
+#if 0
+	    if (rb_safe_level() >= 1 && !rb_loadpath_check(lpath)) {
 		rb_raise(rb_eSecurityError, "loading from unsafe path %s", lpath);
 	    }
+#endif
 	}
     }
Index: intern.h
===================================================================
RCS file: /cvs/ruby/src/ruby/intern.h,v
retrieving revision 1.199
diff -p -u -2 -r1.199 intern.h
--- intern.h	31 Aug 2006 08:24:36 -0000	1.199
+++ intern.h	2 Sep 2006 06:48:03 -0000
@@ -326,4 +326,5 @@ VALUE rb_hash_delete_if(VALUE);
 VALUE rb_hash_delete(VALUE,VALUE);
 int rb_path_check(const char*);
+int rb_loadpath_check(const char*);
 int rb_env_path_tainted(void);
 /* io.c */

On Aug 31, 2006, at 6:17 PM, Yukihiro Matsumoto wrote:

> That means you have world writable directory in your load path ($PATH)
> when you call external program (probably by using "system").  If you
> know what you are doing, you can shut the warning up by
>
> $VERBOSE=nil

I _like_ $VERBOSE and run it with everything but rails (because:
ugh). That said, on my mac mini, where all user directories are on a
separate disk, I get this warning constantly because of the
automounter directory /Volumes

% pwd
/Volumes/Users/ryan/
% ls -lad /Volumes/
drwxrwxrwt   6 root  admin  204 Aug 27 20:44 /Volumes/
% cd /tmp; ruby -we '`/bin/ls`'
-e:1: warning: Insecure world writable dir /Volumes, mode 041777

this is because my PATH has /Volumes/Users/ryan/Bin but as you can
see above, the warning is irrelevant to the actual code being
executed, my pwd, or much of anything else. :/

$VERBOSE is valuable, very valuable... could we perhaps move this
warning to $DEBUG or only if $SAFE is set or something?

On Thu, 7 Sep 2006, Ryan Davis wrote:

> said, on my mac mini, where all user directories are on a separate disk, I 
> the warning is irrelevant to the actual code being executed, my pwd, or much 
> of anything else. :/
>
> $VERBOSE is valuable, very valuable... could we perhaps move this warning to 
> $DEBUG or only if $SAFE is set or something?

i second that.  it's the only reason i don't use $VERBOSE too.

-a

Hi,

In message "Re: Insecure word writable dir?"
    on Thu, 7 Sep 2006 05:18:34 +0900, ara.t.howard@noaa.gov writes:

|> $VERBOSE is valuable, very valuable... could we perhaps move this warning to 
|> $DEBUG or only if $SAFE is set or something?
|
|i second that.  it's the only reason i don't use $VERBOSE too.

We've changed the condition.  World writable parent directories would
not cause warnings if they have sticky bits set.  I am not sure if it
works on Windows as well.

							matz.

Hi,

At Thu, 7 Sep 2006 08:08:29 +0900,
Yukihiro Matsumoto wrote in [ruby-talk:213041]:
> We've changed the condition.  World writable parent directories would
> not cause warnings if they have sticky bits set.  I am not sure if it
> works on Windows as well.

The check is disabled on Windows.

I guess it should be disabled on Cygwin too.


Index: file.c
===================================================================
RCS file: /home/K8052/cvs/ruby/file.c,v
retrieving revision 1.248
diff -U 2 -p -u -r1.248 file.c
--- file.c	4 Sep 2006 20:49:52 -0000	1.248
+++ file.c	5 Sep 2006 08:43:05 -0000
@@ -4045,5 +4045,13 @@ is_absolute_path(const char *path)
 }

-#ifndef DOSISH
+#ifndef ENABLE_PATH_CHECK
+# if defined DOSISH || defined __CYGWIN__
+#   define ENABLE_PATH_CHECK 0
+# else
+#   define ENABLE_PATH_CHECK 1
+# endif
+#endif
+
+#if ENABLE_PATH_CHECK
 static int
 path_check_0(VALUE path, int execpath)
@@ -4090,5 +4098,5 @@ static int
 fpath_check(const char *path)
 {
-#ifndef DOSISH
+#if ENABLE_PATH_CHECK
     return path_check_0(rb_str_new2(path), Qfalse);
 #else
@@ -4100,5 +4108,5 @@ int
 rb_path_check(const char *path)
 {
-#ifndef DOSISH
+#if ENABLE_PATH_CHECK
     const char *p0, *p, *pend;
     const char sep = PATH_SEP_CHAR;

Hi,

In message "Re: Insecure word writable dir?"
    on Thu, 7 Sep 2006 14:14:38 +0900, "Nobuyoshi Nakada" 
<nobu@ruby-lang.org> writes:

|The check is disabled on Windows.
|
|I guess it should be disabled on Cygwin too.

Please commit.

							matz.