Erroneous "Insecure World Writable Dir Foo in Path" When Running Ruby Script

  • Home
  • Languages
  • Ruby
  • Erroneous "Insecure World Writable Dir Foo in Path" When Running Ruby Script

Erroneous Insecure world writable dir foo in PATH when running ruby script

You could shut off all warnings with

> ruby -W0 ...

But that may hide other issues. and you did say you want only that specific warning hidden, and I don't think there is a way to do it other than fix the issue, which I think is due to the NFS mount not properly relaying the actual mask. I see this when I mount a non-linux server on linux with NFS.

Like a snao server or something that does not support unix style attributes.

Also as the error is reporting that it doesn't like the world writable directory in the path, could you remove it from the path, and use a prefix to access anything in that directory?

EDIT...
Another idea is to filter the output of your ruby script with something like...

> ruby ... | egrep -v "warning: Insecure world writable dir"

That would print any output other (the -v) than the specific warning.

However the warning is a security warning, it is a bad idea to have a world writable directory in your path as anyone can put a malicious script or executable in there. And it is equally bad to have a mounted bin directory especially one you have no control over in your PATH. In this case the issue has nothing to do with whether the directory is writable or not, it is the fact there is a foreign directory in your PATH.

Good practices would dictate that you take that mounted directory out of your PATH and the warning will go away. If you need to execute something that is in that directory, then explicitly provide the full path to the script or executable.

This is not really a Ruby issue but a security issue.

warning: Insecure world writable dir when I run a ruby or gem command

Just chmod go-w /opt/local/bin at a shell prompt (depending on permissions you may need to sudo to do that).

Suppress warning Insecure world writable dir /some/dir/

I could not find a way to globally disable the "Insecure world writable dir" warning.

Another answer suggests replacing the ruby executable with a shell script or to recompile ruby with different options. Both options are difficult and could lead to other unexpected problems, in my opinion.

However, I found a way to disable the warning for individual scripts/gems:

In my case, I use the gem colorls to generate a nicer ls output. So far, this gem is the only one the frequently triggers the warning. I solved it, by adding the following alias to my .zshrc file (or .bash_profile)

Solution 1

# Inside .zshrc

alias colorls='colorls --color=always 2>/dev/null'

The important part is the error redirection 2>/dev/null.

Good: This alias allows me to add custom parameters to the command, like colorls --report

Bad: This alias will mask any error or warning that the command produces. I want to specifically remove the "Insecure world writable dir" warning.

Solution 2

# Inside .zshrc

alias colorls='colorls --color=always 2>&1 | grep "warning: Insecure world writable dir" -v'

Good: Instead of redirecting all errors to /dev/null, my second attempt redirects all output to grep, which strips out the individual warning message.

Bad: That solution does not recognize any colorls parameters; any parameter will be passed to grep instead of colorls...

Solution 3 (best)

# Inside .zshrc

colorls() {
    /usr/bin/colorls --color=always $@ 2>&1 | grep "warning: Insecure world writable dir" -v
}

This is the best solution: We replace the colorls binary with a shell function. That shell function calls the binary. The $@ variable passes all parameters to the binary, while grep removes the specific warning from the output.

Getting the warning Insecure world writable dir /home/chance in PATH, mode 040777 for rails and gem

If you tried sudo chmod go-w /usr/local/bin from the other answer, try:

chmod go-w /home/chance

instead.

What seems to have happened is that somehow your home directory (/home/chance) has been added to your $PATH (the list of directories the OS searches when trying to find an executable to launch) and has also had its permissions changed so that anyone can write to it. This is potential a security problem, as another user could put an executable into this directory which you could accidentally launch. Ruby notices this and issues the warning.

This command changes the permissions of the directory so that it is no longer world writable.

In unix, file permissions are specified for three categories, the file owner (user), the group of the file (group), and everyone else (other). (See Google for more on unix file permissions).

So breaking down the command above:

chmod - change the 'mode' of the file (i.e. its permissions)

go - for group(g) and others(o)

-w - (minus w) remove write permission

/home/chance - the file (or directory) in question

In the other answer the directory that was causing the problem was /usr/local/bin, which is owned by root so sudo is required to change permissions on it. /home/chance is your home directory which is owned by the chance user who can change permissions on it - no sudo required.

How to fix When installing bundle I receive errors in Gemfile pg

pg was installed and for some reason I had 

./channels

It must be //= require tree so it can grab all files from the js folder.

using SCL in the command call for Ruby script

How about this:

#!/usr/bin/ruby
if RUBY_VERSION != "2.4.1"
  exec "scl enable ruby-24; ruby __FILE__"
end
puts "Ruby Version: #{RUBY_VERSION}"

Why is my Ruby Git script hook run with the wrong $PATH?

The reason i didn't wanted to use env instead of a fixed path to ruby or a rvm wrapper was that this is for a Team Project and not everyone in the Team is using RVM.

My final solution was to write my own wrapper script an add it to that project.

All client-side git hooks 're living in $PROJECT/bin/hooks, all of them ruby scripts.
Now, i've just put that mentioned wrapper in there, and created a symlink to that wrapper in $PROJECT/.git/hooks for all the hooks.

The script check's if RVM is used and if so fixes the $PATH var and if there are .ruby-version and/or .ruby-gemset files in the project root it loads the according version/gemset.

Then it'll run the according ruby script
Here's the wrapper in case you're interested:

#!/bin/bash
if [ -d "$HOME/.rvm/bin" ]; then
  PATH="$HOME/.rvm/bin:$PATH"
  [[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"

  if [ -f ".ruby-version" ]; then
    rvm use "$(cat .ruby-version)"
  fi

  if [ -f ".ruby-gemset" ]; then
    rvm gemset use "$(cat .ruby-gemset)"
  fi
fi
ruby "bin/hooks/$(basename "$0").rb"

So, i'll get my rvm version/gemset and everybody else the ruby version they have in their PATH, and everyone is Happy.


Related Topics

Skip/Disable Force_Ssl for Particular Controller in Rails

Circular Dependencies in Ruby

How to Remove Non-Printable/Invisible Characters in Ruby

Stop Loading Page Watir-Webdriver

How to Get a Selenium/Ruby Bot to Wait Before Performing an Action

How to Change the Default Value of a Struct Attribute

Run Rspec on VS Code

Does Ruby Have Syntax for Safe Navigation Operator of Nil Values, Like in Groovy

Storing Passwords for External APIs - Best Practice

Is Regexp.Last_Match Thread Safe

How to Split a String by Commas Except Inside Parenthesis, Using a Regular Expression

How to Get the Final Url After Redirects Using Ruby

Why Does Conditional Statement and Assigning Value in Ruby Fails If the "If" Statement Is at End of Clause

Declaring an Integer Range with Step != 1 in Ruby

How Do Version Numbers Work for Mri Ruby

Errno::Econnreset: Connection Reset by Peer in Rails Using Rest-Client

How to Mask All But Last Four Characters in a String

Sorting an Array in Ruby Without Using Sort Method


Leave a reply



Submit