X-Spam-Check-By: sourceware.org Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Subject: RE: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777 Date: Fri, 6 Jan 2006 14:06:50 -0800 Message-ID: From: "Elliott Hughes" To: Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Note-from-DJ: This may be spam Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id k06M72pf024385 > Have you tried chmod a+t as an alternative to chmod o-w? i hadn't, but i can confirm that it works: sh-3.00$ chmod o+w /cygdrive/c sh-3.00$ ls -ld /cygdrive/c drwxrwxrwx+ 35 Administrators root 12288 Jan 3 19:20 /cygdrive/c sh-3.00$ /usr/bin/ruby -e 'system("echo")' -e:1: warning: Insecure world writable dir /cygdrive/c, mode 040777 sh-3.00$ chmod a+t /cygdrive/c sh-3.00$ /usr/bin/ruby -e 'system("echo")' sh-3.00$ > It would be nice if setup.exe or the base-files postinstall would touch up > standard directories with better permissions. Also, if you use ls --color > with coreutils 5.93, insecure directories are given a different color to > draw attention to them. that sounds good to me. Win32 (as opposed to Cygwin) Ruby seems to take the opposite approach, and disables the "insecure world writable dir" check: sh-3.00$ chmod o+w /cygdrive/c sh-3.00$ ls -ld /cygdrive/c drwxrwxrwx+ 35 Administrators root 12288 Jan 3 19:20 /cygdrive/c sh-3.00$ ruby-win32 -e 'system("echo")' ECHO is on. but that sounds like a bad idea. P.S. in /usr/share/doc/base-files/README, "some of the basic file" should read "some of the basic files". -- Elliott Hughes, BlueArc Engineering -----Original Message----- From: Eric Blake [mailto:ebb9 AT byu DOT net] Sent: 2006-01-06 05:57 To: Elliott Hughes Cc: cygwin AT cygwin DOT com Subject: Re: 1.5.18: ruby warning: Insecure world writable dir /usr/local/bin, mode 040777 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to Elliott Hughes on 1/5/2006 5:53 PM: > Ruby (on all Unixes, including Cygwin) warns if you try to run an external program and your $PATH contains a world-writable directory. It doesn't just check the directories on $PATH: it checks each of their parents, too, because if /usr/local (say) is world-writeable, /usr/local/bin is subverted as easily as if it were writeable itself. World writable parent directories are not insecure if the sticky bit is set, since then the subdirectory can only be replaced by owners. Have you tried chmod a+t as an alternative to chmod o-w? I personally haven't used ruby to see what warnings it prints. > > Cygwin seems to ship with various directories world-writable, so you get warnings if you run a Ruby script that runs external programs: It would be nice if setup.exe or the base-files postinstall would touch up standard directories with better permissions. Also, if you use ls --color with coreutils 5.93, insecure directories are given a different color to draw attention to them. - -- Life is short - so eat dessert first! Eric Blake ebb9 AT byu DOT net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDvncg84KuGfSFAYARAuv0AJ9eEIXMmTHq/rmICzW6/YOYRWYxkgCfZh9k MnM+JEqp6ZxcKWXl6JFdE8k= =V3Wl -----END PGP SIGNATURE-----