Ubuntu
ruby1.9.1 package

gem file access problem

Bug #1324685 reported by Hadmut Danisch
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ruby1.9.1 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi,

there's an improper settings of the file settings of ruby gems.

Lots of ruby applications such as rails applications require tools like rake and bundle to be present, and several gems to be installed through bundle.

Now there's to options to go:

The first option is to use rake and bundle that come with ubuntu. These don't work without giving useful error messages,e.g. trying to make a ruby app run:

% bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching gem metadata from https://rubygems.org/..

Gem::Exception: Cannot load gem at [/var/lib/gems/1.9.1/cache/rake-10.0.4.gem] in /var/www/rails/Fibu/rails/fibu
An error occurred while installing rake (10.0.4), and Bundler cannot continue.
Make sure that `gem install rake -v '10.0.4'` succeeds before bundling.

The other way is to not use bundle from ubuntu, but to install the bundle gem. This works in general, but not if bundle is then run as a user other than root. bundle itself is ready to run as non-root and to use sudo for important tasks. Unfortunately it fails with permission denied, since the user rights of /var/lib/gem/* is not set properly to use bundle that way.

The only way that actually works is to run bundle as root. No problems with file permissions.

But this means that *all* gem intallations are run as root, and thus highly vulnerable. Many gems come from sources not really trusted, and beeing forced to run them as root is sort of dangerous. An attacker who manages to attack one of the most wanted gems (or just provides it) has good chances to become root on many ubuntu systems.

There should be a plain and tested policy to install and use gems as non-root.

regards

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: ruby1.9.1 1.9.3.484-2ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
Uname: Linux 3.13.0-24-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: XFCE
Date: Thu May 29 21:57:10 2014
SourcePackage: ruby1.9.1
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Hadmut Danisch (hadmut) wrote :

The reason for the error message when using the regular way to install gems seems to be

% dir /var/lib/gems/1.9.1
insgesamt 4
drwxr-x--- 2 root root 4096 Mai 29 22:35 cache/

it's simply not readable for users other than root, thus forcing people to use the root account to proceed.

The file installed inside cache is

-rw-r----- 1 hadmut hadmut 120320 Mai 29 22:35 rake-10.0.4.gem

again with a permissions problem, which would be readable for the user only who ran bundle.

Wrong umask?

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Hadmut Danisch (hadmut) wrote :

I've found what causes the problem.

/usr/bin/bundle doesn't set the umask, and instead uses the umask set by the user who calls it.

In my case, my umask is 027.

Therefore, all files created by bundle (through sudo) in /var/lib/gems become unreadable for users other than root, and therefore bundle will work for root only, unless a chmod -R a+rX /var/lib/gems is performed.

Problem doesn't occur if I use a umask of 022 .

So bundle needs to set it's umask properly, i.e. something like 022.

Revision history for this message
Hadmut Danisch (hadmut) wrote :

btw.

same problem for everything installed under /usr/local , such as /usr/local/bin/rake . Becomes root-owned but unreadable because of the umask.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Public Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ruby1.9.1 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.