rubyscript2exe.rb question

[ara.t.howard]

anybody seen this:

jib:ahoward > ruby rubyscript2exe.rb rq q create
Tracing rq ...
Gathering files...
Copying files...
Stripping...
Creating rq_linux ...


jib:ahoward > rq_linux q list
/tmp/eee.rq_linux.2/bin/ruby: warning: Insecure world writable dir /tmp in LOAD_PATH, mode 041777
/tmp/eee.rq_linux.2/bin/ruby: loading from unsafe file /tmp/eee.rq_linux.2/bootstrap.rb (SecurityError)


jib:ahoward > echo $?
1

workaround?

-a

 

[Erik Veenstra]

anybody seen this:

jib:ahoward > rq_linux q list
/tmp/eee.rq_linux.2/bin/ruby: warning: Insecure world
writable dir /tmp in LOAD_PATH, mode 041777
/tmp/eee.rq_linux.2/bin/ruby: loading from unsafe file
/tmp/eee.rq_linux.2/bootstrap.rb (SecurityError)

jib:ahoward > echo $?
1

Environment? Versions?

Could you try this (as root):

$ chmod +t /tmp

workaround?

Depending on the shell:

$ mkdir ~/tmp
$ TEMP=~/tmp rq_linux q list

gegroet,
Erik V. - http://www.erikveen.dds.nl/

 

[Eric I.]

I've experienced this same issue on OS X (10.4.9) using Ruby 1.8.6.
I've been able to verify it's not a problem using Ruby 1.8.2 on OS X
and that it's not a problem on Ruby 1.8.4 using Linux. And I'm pretty
sure it wasn't an issue with Ruby 1.8.5 under OS X. So my guess is
that it surrounds a change in Ruby made between 1.8.5 and 1.8.6.

My best guess is that Ruby 1.8.6. does not seem to be taking into
account the sticky bit.

The original message in this thread showed an error message indicating
the permissions were 041777. My error message reports the same. And
the "1" would indicate that the sticky bit is set.

I can verify that your workaround of setting TEMP to a non-world-
writeable directory worked.

And is it the case that when running an application created with
rubyscript2exe, that the SAFE level is greater than 0? Because if it
were 0 my understanding is it should at most generate a warning and
not an error.

Thanks,

Eric

 

[Erik Veenstra]

I've addressed this problem in the not-yet-released version.

It doesn't use /tmp anymore, but ~/.eee instead. The Ruby
equivalent is something like this:

dir = ENV["HOME"] || ENV["USERPROFILE"] || ENV["TEMP"]
dir ||= "c:/" if windows?
dir ||= "/tmp"
dir = File.join(dir, "eee") if windows? or cygwin?
dir = File.join(dir, ".eee") unless windows? or cygwin?

Maybe, just maybe, I'll release it in a couple of days...

gegroet,
Erik V. - http://www.erikveen.dds.nl/

 

[Erik Veenstra]

Wow, the ugliness of the real world raises its head, doesn't

it? Thanks for rubyscript2exe and for handling this.

"In theory, there's no difference between theory and practice.
In practice, there is."

I guess I'm still uncertain what the difficulty is with a
sticky, world-writeable directory on the load path. Perhaps
there's a subtlety I don't understand. But once the file is
created, only the owner can remove or rename the file (due to
the sticky bit), and if the file's permissions are otherwise
set correctly, no one other than the owner could alter it. So
where exactly is the vectory through which someone could do
some evil?

I really don't know. It's a Ruby thing. Maybe Matz has the
answer. AFAIR, he changed his mind on this topic, several
times... :}

And is it the case that when running an application created
with rubyscript2exe, that the SAFE level is greater than 0?
Because if it were 0 my understanding is it should at most
generate a warning and not an error.

RubyScript2Exe doesn't change the SAFE mode of your application.

gegroet,
Erik V. - http://www.erikveen.dds.nl/

 

[Erik Veenstra]

I've addressed this problem in the not-yet-released version.

Maybe, just maybe, I'll release it in a couple of days...

It's released:
http://www.erikveen.dds.nl/rubyscript2exe/index.html

gegroet,
Erik V. - http://www.erikveen.dds.nl/