Forum: Ruby rubyscript2exe.rb question

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Cb48ca5059faf7409a5ab3745a964696?d=identicon&s=25 unknown (Guest)
on 2007-03-12 23:32
(Received via mailing list)
anybody seen this:

   jib:ahoward > ruby rubyscript2exe.rb rq q create
   Tracing rq ...
   Gathering files...
   Copying files...
   Stripping...
   Creating rq_linux ...


   jib:ahoward > rq_linux q list
   /tmp/eee.rq_linux.2/bin/ruby: warning: Insecure world writable dir
/tmp in LOAD_PATH, mode 041777
   /tmp/eee.rq_linux.2/bin/ruby: loading from unsafe file
/tmp/eee.rq_linux.2/bootstrap.rb (SecurityError)


   jib:ahoward > echo $?
   1

workaround?

-a
6b0967f63d03e99b6c07a3f5ed224c77?d=identicon&s=25 Erik Veenstra (Guest)
on 2007-03-13 11:49
(Received via mailing list)
> anybody seen this:
>
>    jib:ahoward > rq_linux q list
>    /tmp/eee.rq_linux.2/bin/ruby: warning: Insecure world
>    writable dir /tmp in LOAD_PATH, mode 041777
>    /tmp/eee.rq_linux.2/bin/ruby: loading from unsafe file
>    /tmp/eee.rq_linux.2/bootstrap.rb (SecurityError)
>
>    jib:ahoward > echo $?
>    1

Environment? Versions?

Could you try this (as root):

 $ chmod +t /tmp

> workaround?

Depending on the shell:

 $ mkdir ~/tmp
 $ TEMP=~/tmp rq_linux q list

gegroet,
Erik V. - http://www.erikveen.dds.nl/
B09f99b655b96fd4130aafd04531f6f1?d=identicon&s=25 Eric I. (Guest)
on 2007-04-13 17:45
(Received via mailing list)
I've experienced this same issue on OS X (10.4.9) using Ruby 1.8.6.
I've been able to verify it's not a problem using Ruby 1.8.2 on OS X
and that it's not a problem on Ruby 1.8.4 using Linux.  And I'm pretty
sure it wasn't an issue with Ruby 1.8.5 under OS X.  So my guess is
that it surrounds a change in Ruby made between 1.8.5 and 1.8.6.

My best guess is that Ruby 1.8.6. does not seem to be taking into
account the sticky bit.

The original message in this thread showed an error message indicating
the permissions were 041777.  My error message reports the same.  And
the "1" would indicate that the sticky bit is set.

I can verify that your workaround of setting TEMP to a non-world-
writeable directory worked.

And is it the case that when running an application created with
rubyscript2exe, that the SAFE level is greater than 0?  Because if it
were 0 my understanding is it should at most generate a warning and
not an error.

Thanks,

Eric
6b0967f63d03e99b6c07a3f5ed224c77?d=identicon&s=25 Erik Veenstra (Guest)
on 2007-04-13 20:52
(Received via mailing list)
I've addressed this problem in the not-yet-released version.

It doesn't use /tmp anymore, but ~/.eee instead. The Ruby
equivalent is something like this:

 dir    = ENV["HOME"] || ENV["USERPROFILE"] || ENV["TEMP"]
 dir    ||= "c:/"       if windows?
 dir    ||= "/tmp"
 dir    = File.join(dir, "eee")         if windows? or cygwin?
 dir    = File.join(dir, ".eee")        unless windows? or cygwin?

Maybe, just maybe, I'll release it in a couple of days...

gegroet,
Erik V. - http://www.erikveen.dds.nl/
B09f99b655b96fd4130aafd04531f6f1?d=identicon&s=25 Eric I. (Guest)
on 2007-04-13 21:35
(Received via mailing list)
On Apr 13, 2:51 pm, "Erik Veenstra" <erikv...@gmail.com> wrote:
> I've addressed this problem in the not-yet-released version.
>
> It doesn't use /tmp anymore, but ~/.eee instead. The Ruby
> equivalent is something like this:
>
>  dir    = ENV["HOME"] || ENV["USERPROFILE"] || ENV["TEMP"]
>  dir    ||= "c:/"       if windows?
>  dir    ||= "/tmp"
>  dir    = File.join(dir, "eee")         if windows? or cygwin?
>  dir    = File.join(dir, ".eee")        unless windows? or cygwin?

Wow, the ugliness of the real world raises its head, doesn't it?
Thanks for rubyscript2exe and for handling this.

I guess I'm still uncertain what the difficulty is with a sticky,
world-writeable directory on the load path.  Perhaps there's a
subtlety I don't understand.  But once the file is created, only the
owner can remove or rename the file (due to the sticky bit), and if
the file's permissions are otherwise set correctly, no one other than
the owner could alter it.  So where exactly is the vectory through
which someone could do some evil?

Eric
6b0967f63d03e99b6c07a3f5ed224c77?d=identicon&s=25 Erik Veenstra (Guest)
on 2007-04-13 23:13
(Received via mailing list)
> Wow, the ugliness of the real world raises its head, doesn't
> it? Thanks for rubyscript2exe and for handling this.

"In theory, there's no difference between theory and practice.
In practice, there is."

> I guess I'm still uncertain what the difficulty is with a
> sticky, world-writeable directory on the load path. Perhaps
> there's a subtlety I don't understand. But once the file is
> created, only the owner can remove or rename the file (due to
> the sticky bit), and if the file's permissions are otherwise
> set correctly, no one other than the owner could alter it. So
> where exactly is the vectory through which someone could do
> some evil?

I really don't know. It's a Ruby thing. Maybe Matz has the
answer. AFAIR, he changed his mind on this topic, several
times... :}

> And is it the case that when running an application created
> with rubyscript2exe, that the SAFE level is greater than 0?
> Because if it were 0 my understanding is it should at most
> generate a warning and not an error.

RubyScript2Exe doesn't change the SAFE mode of your application.

gegroet,
Erik V. - http://www.erikveen.dds.nl/
6b0967f63d03e99b6c07a3f5ed224c77?d=identicon&s=25 Erik Veenstra (Guest)
on 2007-04-15 23:30
(Received via mailing list)
> I've addressed this problem in the not-yet-released version.
>
> Maybe, just maybe, I'll release it in a couple of days...

It's released:
http://www.erikveen.dds.nl/rubyscript2exe/index.html

gegroet,
Erik V. - http://www.erikveen.dds.nl/
This topic is locked and can not be replied to.