This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777

From: "Elliott Hughes" <EHughes at bluearc dot com>
To: <cygwin at cygwin dot com>
Date: Fri, 6 Jan 2006 14:06:50 -0800
Subject: RE: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777

> Have you tried chmod a+t as an alternative to chmod o-w?

i hadn't, but i can confirm that it works:

sh-3.00$ chmod o+w /cygdrive/c
sh-3.00$ ls -ld /cygdrive/c
drwxrwxrwx+ 35 Administrators root 12288 Jan  3 19:20 /cygdrive/c
sh-3.00$ /usr/bin/ruby -e 'system("echo")'
-e:1: warning: Insecure world writable dir /cygdrive/c, mode 040777

sh-3.00$ chmod a+t /cygdrive/c
sh-3.00$ /usr/bin/ruby -e 'system("echo")'

sh-3.00$ 

> It would be nice if setup.exe or the base-files postinstall would touch up
> standard directories with better permissions.  Also, if you use ls --color
> with coreutils 5.93, insecure directories are given a different color to
> draw attention to them.

that sounds good to me.

Win32 (as opposed to Cygwin) Ruby seems to take the opposite approach, and disables the "insecure world writable dir" check:

sh-3.00$ chmod o+w /cygdrive/c
sh-3.00$ ls -ld /cygdrive/c
drwxrwxrwx+ 35 Administrators root 12288 Jan  3 19:20 /cygdrive/c
sh-3.00$ ruby-win32 -e 'system("echo")'
ECHO is on.

but that sounds like a bad idea.

P.S. in /usr/share/doc/base-files/README, "some of the basic file" should read "some of the basic files".

-- 
Elliott Hughes, BlueArc Engineering

-----Original Message-----
From: Eric Blake [mailto:ebb9@byu.net] 
Sent: 2006-01-06 05:57
To: Elliott Hughes
Cc: cygwin@cygwin.com
Subject: Re: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Elliott Hughes on 1/5/2006 5:53 PM:
> Ruby (on all Unixes, including Cygwin) warns if you try to run an external program and your $PATH contains a world-writable directory. It doesn't just check the directories on $PATH: it checks each of their parents, too, because if /usr/local (say) is world-writeable, /usr/local/bin is subverted as easily as if it were writeable itself.

World writable parent directories are not insecure if the sticky bit is
set, since then the subdirectory can only be replaced by owners.  Have you
tried chmod a+t as an alternative to chmod o-w?  I personally haven't used
ruby to see what warnings it prints.

>  
> Cygwin seems to ship with various directories world-writable, so you get warnings if you run a Ruby script that runs external programs:

It would be nice if setup.exe or the base-files postinstall would touch up
standard directories with better permissions.  Also, if you use ls --color
with coreutils 5.93, insecure directories are given a different color to
draw attention to them.

- --
Life is short - so eat dessert first!

Eric Blake             ebb9@byu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvncg84KuGfSFAYARAuv0AJ9eEIXMmTHq/rmICzW6/YOYRWYxkgCfZh9k
MnM+JEqp6ZxcKWXl6JFdE8k=
=V3Wl
-----END PGP SIGNATURE-----

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]