question on having . as LOAD_PATH (ruby)

To: debian-security@lists.debian.org
Subject: question on having . as LOAD_PATH (ruby)
From: Junichi Uekawa <dancer@netfort.gr.jp>
Date: Sat, 07 Jan 2006 00:00:51 +0900
Message-id: <[🔎] 87zmm9l7to.dancerj%dancer@netfort.gr.jp>

Hi,

I am wondering what the security implications of having a LOAD_PATH
that includes '.' is.

Debian includes software that is written in ruby, and is executed with
root privilege, such as apt-listbugs.

LOAD_PATH is the list of path that ruby library (MODULE.rb, MODULE.so)
is searched against. The load_path will only fallback to '.' when it
cannot find the required module in other paths, which should normally
not be the case, but I'm feeling a bit uneasy about that.

A theoretical attach scenario is putting a module under /tmp, and wait
until a user executes a ruby script that require's that module with
CWD=/tmp, which also happens not to exist in the other directories
listed in LOAD_PATH.


Example of LOAD_PATH (on my amd64 machine)

$ ruby -e '$:.each{|l| print l+"\n"}'
/usr/local/lib/site_ruby/1.8
/usr/local/lib/site_ruby/1.8/x86_64-linux
/usr/local/lib/site_ruby
/usr/lib/ruby/1.8
/usr/lib/ruby/1.8/x86_64-linux
.




regards,
	junichi
-- 
dancer@{debian.org,netfort.gr.jp}   Debian Project

Reply to:

Follow-Ups:
- Re: question on having . as LOAD_PATH (ruby)
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: unsubscribe
Next by Date: Re: question on having . as LOAD_PATH (ruby)
Previous by thread: unsubscribe
Next by thread: Re: question on having . as LOAD_PATH (ruby)
Index(es):
- Date
- Thread