Mail Archives: cygwin/2006/01/06/08:56:49

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2006/01/06/08:56:49

X-Spam-Check-By: sourceware.org

Message-ID: <43BE7720.3020504@byu.net>

Date: Fri, 06 Jan 2006 06:56:48 -0700

From: Eric Blake <ebb9 AT byu DOT net>

User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

MIME-Version: 1.0

To: Elliott Hughes <EHughes AT bluearc DOT com>

CC: cygwin AT cygwin DOT com

Subject: Re: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777

References: <CECD6E8A589E8447BC6E836C8369AFF5085E9685 AT us-email DOT terastack DOT bluearc DOT com>

In-Reply-To: <CECD6E8A589E8447BC6E836C8369AFF5085E9685@us-email.terastack.bluearc.com>

X-IsSubscribed: yes

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Elliott Hughes on 1/5/2006 5:53 PM:
> Ruby (on all Unixes, including Cygwin) warns if you try to run an external program and your $PATH contains a world-writable directory. It doesn't just check the directories on $PATH: it checks each of their parents, too, because if /usr/local (say) is world-writeable, /usr/local/bin is subverted as easily as if it were writeable itself.

World writable parent directories are not insecure if the sticky bit is
set, since then the subdirectory can only be replaced by owners.  Have you
tried chmod a+t as an alternative to chmod o-w?  I personally haven't used
ruby to see what warnings it prints.

>  
> Cygwin seems to ship with various directories world-writable, so you get warnings if you run a Ruby script that runs external programs:

It would be nice if setup.exe or the base-files postinstall would touch up
standard directories with better permissions.  Also, if you use ls --color
with coreutils 5.93, insecure directories are given a different color to
draw attention to them.

- --
Life is short - so eat dessert first!

Eric Blake             ebb9 AT byu DOT net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvncg84KuGfSFAYARAuv0AJ9eEIXMmTHq/rmICzW6/YOYRWYxkgCfZh9k
MnM+JEqp6ZxcKWXl6JFdE8k=
=V3Wl
-----END PGP SIGNATURE-----


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Message-ID:	<43BE7720.3020504@byu.net>
Date:	Fri, 06 Jan 2006 06:56:48 -0700
From:	Eric Blake <ebb9 AT byu DOT net>
User-Agent:	Mozilla Thunderbird 1.0.2 (Windows/20050317)
MIME-Version:	1.0
To:	Elliott Hughes <EHughes AT bluearc DOT com>
CC:	cygwin AT cygwin DOT com
Subject:	Re: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777
References:	<CECD6E8A589E8447BC6E836C8369AFF5085E9685 AT us-email DOT terastack DOT bluearc DOT com>
In-Reply-To:	<CECD6E8A589E8447BC6E836C8369AFF5085E9685@us-email.terastack.bluearc.com>
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com