 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev- | Prev- | Debian- | Jan- | Next- | Next- |
| Subject: | question on having . as LOAD_PATH (ruby) |
| Group: | Debian-security |
| From: | Junichi Uekawa |
| Date: | 6 Jan 2006 |
Hi,
I am wondering what the security implications of having a LOAD_PATH
that includes '.' is.
Debian includes software that is written in ruby, and is executed with
root privilege, such as apt-listbugs.
LOAD_PATH is the list of path that ruby library (MODULE.rb, MODULE.so)
is searched against. The load_path will only fallback to '.' when it
cannot find the required module in other paths, which should normally
not be the case, but I'm feeling a bit uneasy about that.
A theoretical attach scenario is putting a module under /tmp, and wait
until a user executes a ruby script that require's that module with
CWD=/tmp, which also happens not to exist in the other directories
listed in LOAD_PATH.
Example of LOAD_PATH (on my amd64 machine)
$ ruby -e '$:.each{|l| print l+"\n"}'
/usr/local/lib/site_ruby/1.8
/usr/local/lib/site_ruby/1.8/x86_64-linux
/usr/local/lib/site_ruby
/usr/lib/ruby/1.8
/usr/lib/ruby/1.8/x86_64-linux
.
regards,
junichi
--
dancer} Debian Project
--
To UNSUBSCRIBE, email to debian-security-REQUEST
with a subject of "unsubscribe". Trouble? Contact listmaster
| Prev- | Prev- | Debian- | Jan- | Next- | Next- |