Hi, On 10/3/06, nobu / ruby-lang.org <nobu / ruby-lang.org> wrote: > Hi, > > At Mon, 2 Oct 2006 22:31:54 +0900, > Laurent Sansonetti wrote in [ruby-core:08976]: > > Currently, Ruby prints a warning when a directory that is part of > > $PATH is world-writable, even if it has the sticky-bit set. > > It is definitely unsafe to include a world-writable directory > in $PATH, regardless if it is sticky. Whereas it is considered > less unsafe for a world-unwritable directory under a sticky > directory. If you meant this, it is fixed in CVS already. > You're right, but what if the world-writable sticky-bit directory is not in $PATH but its parent? $ mkdir /tmp/ro $ chmod 400 /tmp/ro $ PATH=$PATH:/tmp/foo ruby -ve "system('id')" ruby 1.8.5 (2006-08-25) [universal-darwin9.0] -e:1: warning: Insecure world writable dir /tmp, mode 041777 uid=501(lrz) gid=501(lrz) groups=501(lrz), 81(_appserveradm), 79(_appserverusr), 80(admin) I think that Ruby should not raise this warning in that case, as there is no risk that /tmp/foo could be compromised (as the sticky bit of /tmp prevents it to be removed, and as it is read-only). Laurent