question on having . as LOAD_PATH (ruby)
Hi,
I am wondering what the security implications of having a LOAD_PATH
that includes '.' is.
Debian includes software that is written in ruby, and is executed with
root privilege, such as apt-listbugs.
LOAD_PATH is the list of path that ruby library (MODULE.rb, MODULE.so)
is searched against. The load_path will only fallback to '.' when it
cannot find the required module in other paths, which should normally
not be the case, but I'm feeling a bit uneasy about that.
A theoretical attach scenario is putting a module under /tmp, and wait
until a user executes a ruby script that require's that module with
CWD=/tmp, which also happens not to exist in the other directories
listed in LOAD_PATH.
Example of LOAD_PATH (on my amd64 machine)
$ ruby -e '$:.each{|l| print l+"\n"}'
/usr/local/lib/site_ruby/1.8
/usr/local/lib/site_ruby/1.8/x86_64-linux
/usr/local/lib/site_ruby
/usr/lib/ruby/1.8
/usr/lib/ruby/1.8/x86_64-linux
.
regards,
junichi
--
dancer@{debian.org,netfort.gr.jp} Debian Project
Reply to: