1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777

Thu, 05 Jan 2006 16:57:01 -0800 

Ruby (on all Unixes, including Cygwin) warns if you try to run an external 
program and your $PATH contains a world-writable directory. It doesn't just 
check the directories on $PATH: it checks each of their parents, too, because 
if /usr/local (say) is world-writeable, /usr/local/bin is subverted as easily 
as if it were writeable itself.
 
Cygwin seems to ship with various directories world-writable, so you get 
warnings if you run a Ruby script that runs external programs:
 
ehughes:~$ uname -a
CYGWIN_NT-5.0 ehughes 1.5.18(0.132/4/2) 2005-07-02 20:30 i686 unknown unknown 
Cygwin
ehughes:~$ ruby -e 'system("echo")'
-e:1: warning: Insecure world writable dir /usr/local/bin, mode 040777
 
ehughes:~$ ruby -e '`echo`'
-e:1: warning: Insecure world writable dir /usr/local/bin, mode 040777
ehughes:~$ 

I installed Cygwin for all users, in case that's relevant.
 
The obvious work-around is to remove "other" write permission from the relevant 
directories:
 
chmod o-w /usr/local/bin
chmod o-w /usr/local
chmod o-w /usr
chmod o-w /etc # My company's default $PATH includes /etc on OSes where /sbin 
doesn't exist, such as SunOS.
chmod o-w /usr/sbin
chmod o-w /usr/bin
chmod o-w /usr/X11R6/bin
chmod o-w /usr/X11R6
chmod o-w /cygdrive/c
 
then Ruby's happy:
 
ehughes:~$ ruby -e '`echo`'
ehughes:~$
 
I couldn't find anything about this on the list archive, and Google mainly 
turns up matches in Japanese, plus one match I'm partly responsible for, giving 
the above work-around.
 
Is there a better way to solve this problem?
 
 --elliott

*********************************************************************************
This email and any attachment is confidential. It may only  be read, copied
 and used by the intended recipient(s). If you are not the intended recipient 
(s), you may not copy, use, distribute, forward, store or disclose this e-mail 
or any attachment. If you are not the intended recipient(s) or have otherwise 
received this e-mail in error, you should destroy it and any attachment and 
notify the sender by reply e-mail or send a message to: [EMAIL PROTECTED]
*********************************************************************************

Attachment: cygcheck.out
Description: cygcheck.out

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply via email to