From: Eric Hodel Date: 2011-07-24T11:33:21+09:00 Subject: [ruby-core:38440] [Ruby 1.9 - Feature #1800][Closed] rubygems can replace system executable files Issue #1800 has been updated by Eric Hodel. Status changed from Assigned to Closed Target version changed from 1.9.x to 1.9.4 I've implemented this in the RubyGems repository, but it is too big a change to go into 1.9.3. Rather than having users opt-in to checking if a RubyGems executable will overwrite something in their bin dir I'm using the following rules: If --force was used, overwrite If the executable exists and is for a different gem the user is consulted If the executable exists and is in the default bin directory (for example, /usr/local/bin) the user is consulted Otherwise, the executable is overwritten (gem reinstall or somebody was messing with the repository's bin directory) With the fake gems of 1.9.x I think this meets all the criteria. See: https://github.com/rubygems/rubygems/commit/415c0ec4 https://github.com/rubygems/rubygems/commit/5298fffd ---------------------------------------- Feature #1800: rubygems can replace system executable files http://redmine.ruby-lang.org/issues/1800 Author: Kazuhiro NISHIYAMA Status: Closed Priority: Normal Assignee: Eric Hodel Category: lib Target version: 1.9.4 ruby -v: ruby 1.9.2dev =begin Japanese blog http://wota.jp/ac/?date=20090604#p01 says, gem has bin/ls and Gem::Specification#executables= ["ls"], rubygem overwrites /usr/bin/ls without confirming. I think this is potential security risk. =end -- http://redmine.ruby-lang.org