Hi,

On 10/3/06, nobu / ruby-lang.org <nobu / ruby-lang.org> wrote:
> Hi,
>
> At Mon, 2 Oct 2006 22:31:54 +0900,
> Laurent Sansonetti wrote in [ruby-core:08976]:
> > Currently, Ruby prints a warning when a directory that is part of
> > $PATH is world-writable, even if it has the sticky-bit set.
>
> It is definitely unsafe to include a world-writable directory
> in $PATH, regardless if it is sticky.  Whereas it is considered
> less unsafe for a world-unwritable directory under a sticky
> directory.  If you meant this, it is fixed in CVS already.
>

You're right, but what if the world-writable sticky-bit directory is
not in $PATH but its parent?

$ mkdir /tmp/ro
$ chmod 400 /tmp/ro
$ PATH=$PATH:/tmp/foo ruby -ve "system('id')"
ruby 1.8.5 (2006-08-25) [universal-darwin9.0]
-e:1: warning: Insecure world writable dir /tmp, mode 041777
uid=501(lrz) gid=501(lrz) groups=501(lrz), 81(_appserveradm),
79(_appserverusr), 80(admin)

I think that Ruby should not raise this warning in that case, as there
is no risk that /tmp/foo could be compromised (as the sticky bit of
/tmp prevents it to be removed, and as it is read-only).

Laurent