From: Eric Hodel <drbrain@...7.net>
Date: 2011-07-24T11:33:21+09:00
Subject: [ruby-core:38440] [Ruby 1.9 - Feature #1800][Closed] rubygems can replace system executable files


Issue #1800 has been updated by Eric Hodel.

Status changed from Assigned to Closed
Target version changed from 1.9.x to 1.9.4

I've implemented this in the RubyGems repository, but it is too big a change to go into 1.9.3.

Rather than having users opt-in to checking if a RubyGems executable will overwrite something in their bin dir I'm using the following rules:

If --force was used, overwrite

If the executable exists and is for a different gem the user is consulted

If the executable exists and is in the default bin directory (for example, /usr/local/bin) the user is consulted

Otherwise, the executable is overwritten (gem reinstall or somebody was messing with the repository's bin directory)

With the fake gems of 1.9.x I think this meets all the criteria.

See:

https://github.com/rubygems/rubygems/commit/415c0ec4
https://github.com/rubygems/rubygems/commit/5298fffd
----------------------------------------
Feature #1800: rubygems can replace system executable files
http://redmine.ruby-lang.org/issues/1800

Author: Kazuhiro NISHIYAMA
Status: Closed
Priority: Normal
Assignee: Eric Hodel
Category: lib
Target version: 1.9.4
ruby -v: ruby 1.9.2dev


=begin
 Japanese blog http://wota.jp/ac/?date=20090604#p01 says,
 gem has bin/ls and Gem::Specification#executables= ["ls"],
 rubygem overwrites /usr/bin/ls without confirming.
 
 I think this is potential security risk.
=end



-- 
http://redmine.ruby-lang.org