"insecure world writable" fix?

Sean_Harre · 20 July 2006 17:33

Hello All,

I have come up with a fix/workaround which turns off the "insecure world
writable" warning message.

In my code, I pass a string (exec_str) to exec:

exec_str = "./foo.pl test"
exec(exec_str)

Depending on my PATH, this can point out any number of world-writable
directories on my network.

If I change the above so I'm just adding a CR to the end of exec_str, I
now do not see the warning message any longer:

exec_str = "./foo.pl test\n"
exec(exec_str)

Anyone have an idea why this works?

Thanks,
-Sean

Eric_Armstrong · 20 July 2006 21:33

Sean Harre wrote:

Hello All,

I have come up with a fix/workaround which turns off the "insecure world
writable" warning message.

In my code, I pass a string (exec_str) to exec:

    exec_str = "./foo.pl test"
    exec(exec_str)

Depending on my PATH, this can point out any number of world-writable
directories on my network.

If I change the above so I'm just adding a CR to the end of exec_str, I
now do not see the warning message any longer:

    exec_str = "./foo.pl test\n"
    exec(exec_str)

Anyone have an idea why this works?

*Heck* of a workaround. Thanks. I look forward to
explanations as to why it works.

I've been using this:
exec_str = "eval ''; ..."

The initial eval also stops the insecure writable
message.

There's no way to modify the environment, either.
Access ENV.<any> causes the message to appear
before I even try to execute anything in a subshell.

That message is one heckofa mystery, to be sure.

ts1 · 21 July 2006 08:45

exec_str = "./foo.pl test\n"
exec(exec_str)

Anyone have an idea why this works?

When ruby find some special characters (like \n;{} ...) in the string, it
call the shell (/bin/sh -c) rather than trying to exec directly the
program. In this case it don't test the variable PATH

Guy Decoux

Sean_Harre · 21 July 2006 16:50

Ok, I understand the reason this works the way it does - Ruby wants the
shell to handle any special characters that may result in
substitutions/matching, etc. That makes sense. But is there an "official
workaround" for this problem? And if not, can I rest well at night with
my '\n' workaround in my companys stable source tree? It's just a
warning message now, but in the future, I can't really forsee any
problems with putting a CR at end of exec_str, but...

Thanks,
-Sean

ts wrote:

···

"S" == Sean Harre <sharre@transmeta.com> writes:

    exec_str = "./foo.pl test\n"
    exec(exec_str)

Anyone have an idea why this works?

When ruby find some special characters (like \n;{} ...) in the string, it
call the shell (/bin/sh -c) rather than trying to exec directly the
program. In this case it don't test the variable PATH

Guy Decoux

ts1 · 21 July 2006 17:05

substitutions/matching, etc. That makes sense. But is there an "official
workaround" for this problem? And if not, can I rest well at night with

Yes, correct the problem (i.e. change the permission for the directory)

my '\n' workaround in my companys stable source tree? It's just a
warning message now, but in the future, I can't really forsee any

it's a warning message with $SAFE = 0, but an error with $SAFE >= 1

svg% ruby -e 'exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
svg%

svg% ruby -e '$SAFE = 1; exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
-e:1:in `exec': Insecure PATH - ls (SecurityError)
from -e:1
svg%

Guy Decoux

Qian_Jigui · 1 September 2009 02:34

As the ts said, setting the $SAFE is a way to ignore the warning.
Or
run the ruby script like this:
ruby -w0 file...

Last we can change the permission of the dictionary.
For example,
drwxr-xr-x 7 abc abc ...... /home/abc/bin
Let other users can only access the dictionary.

ts wrote:

···

> substitutions/matching, etc. That makes sense. But is there an
"official
> workaround" for this problem? And if not, can I rest well at night
with

Yes, correct the problem (i.e. change the permission for the directory)

> my '\n' workaround in my companys stable source tree? It's just a
> warning message now, but in the future, I can't really forsee any

it's a warning message with $SAFE = 0, but an error with $SAFE >= 1

svg% ruby -e 'exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
svg%

svg% ruby -e '$SAFE = 1; exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
-e:1:in `exec': Insecure PATH - ls (SecurityError)
from -e:1
svg%

Guy Decoux

--
Posted via http://www.ruby-forum.com/\.

Hugh_Chileshe · 1 September 2009 06:46

what is the best gui for ruby and where can i find it?

···

On 9/1/09, Qian Jigui <qianjigui@gmail.com> wrote:

As the ts said, setting the $SAFE is a way to ignore the warning.
Or
run the ruby script like this:
ruby -w0 file...

Last we can change the permission of the dictionary.
For example,
drwxr-xr-x 7 abc abc ...... /home/abc/bin
Let other users can only access the dictionary.

ts wrote:

> substitutions/matching, etc. That makes sense. But is there an
"official
> workaround" for this problem? And if not, can I rest well at night
with

Yes, correct the problem (i.e. change the permission for the directory)

> my '\n' workaround in my companys stable source tree? It's just a
> warning message now, but in the future, I can't really forsee any

it's a warning message with $SAFE = 0, but an error with $SAFE >= 1

svg% ruby -e 'exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
svg%

svg% ruby -e '$SAFE = 1; exec("ls")'
-e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
-e:1:in `exec': Insecure PATH - ls (SecurityError)
from -e:1
svg%

Guy Decoux

--
Posted via http://www.ruby-forum.com/\.

Fabian_Streitel1 · 1 September 2009 07:45

there's tons of threads about this, e.g.

Search the mailing list for more

Greetz!

···

2009/9/1 Hugh Haboongo <hugh313@gmail.com>

what is the best gui for ruby and where can i find it?

On 9/1/09, Qian Jigui <qianjigui@gmail.com> wrote:
> As the ts said, setting the $SAFE is a way to ignore the warning.
> Or
> run the ruby script like this:
> ruby -w0 file...
>
> Last we can change the permission of the dictionary.
> For example,
> drwxr-xr-x 7 abc abc ...... /home/abc/bin
> Let other users can only access the dictionary.
>
>
> ts wrote:

>>
>> > substitutions/matching, etc. That makes sense. But is there an
>> "official
>> > workaround" for this problem? And if not, can I rest well at night
>> with
>>
>> Yes, correct the problem (i.e. change the permission for the directory)
>>
>>
>> > my '\n' workaround in my companys stable source tree? It's just a
>> > warning message now, but in the future, I can't really forsee any
>>
>> it's a warning message with $SAFE = 0, but an error with $SAFE >= 1
>>
>> svg% ruby -e 'exec("ls")'
>> -e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
>> svg%
>>
>> svg% ruby -e '$SAFE = 1; exec("ls")'
>> -e:1: warning: Insecure world writable dir /home/ts/XXX/., mode 040777
>> -e:1:in `exec': Insecure PATH - ls (SecurityError)
>> from -e:1
>> svg%
>>
>>
>> Guy Decoux
>
> --
> Posted via http://www.ruby-forum.com/\.
>
>

Topic		Replies	Views
Message "Insecure world writable dir ..." ruby-talk	16	215	27 November 2003
Insecure home writable warning ruby-talk	1	56	27 October 2005
Anyone knows this warning? ruby-talk	6	74	7 January 2009
Insecure word writable dir? ruby-talk	10	89	7 September 2006
How to avoid warning of 'Insecure world writable dir /local_vol1_nobackup in PATH, mode 040777' ruby-talk	8	177	23 July 2014

"insecure world writable" fix?

Related Topics