zsh may or may not have its own complications/peculiarities here, but the
OP's situation is reproducible in bash too and should not be
shell-specific.  The reason you don't see the problem crop up in your third
command is because Ruby knows the full path to what it is told to execute
(/bin/bash) so the insecure PATH does not come into play *for Ruby*, but it
does come into play for bash itself.  You don't see this because bash
doesn't have this check like Ruby does and you presumably don't have a
malicious date in PATH:

$ ls -l date
-rwxr-xr-x 1 root root 13 Jul 23 11:21 date
$ cat date
#!/bin/sh
id
$ PATH=.:$PATH irb
irb(main):001:0> system("date")
(irb):1: warning: Insecure world writable dir /tmp/. in PATH, mode 041777
uid=1000(test) gid=1000(test) groups=1000(test)
=> true
irb(main):002:0> system("/bin/bash", "-c", "date")
uid=1000(test) gid=1000(test) groups=1000(test)
=> true

In that example, $SHELL is bash and zsh isn't even installed.

-jon




On Wed, Jul 23, 2014 at 11:12 AM, Eric MSP Veith <eveith / wwweb-library.net>
wrote:

> On Wednesday 23 July 2014, 10:15:31, Jon Hart wrote:
> > I can't help you fix this problem without seeing your code, but the
> problem
> > is pretty straight forward and the warning message is not something that
> > should be taken lightly. This warning occurs when your PATH contains
> > something that is world writable and your Ruby code calls something like
> > system(cmd) or other method whose behavior is impacted by PATH.  If PATH
> > contains a world writable location and the command that you are trying to
> > execute can be found in that world writable location before its
> legitimate,
> > (hopefully) non-world-writable location, your ruby code will end up
> > executing potentially malicious code.
>
> Again, I guess this is a feature of zsh:
>
> ```
> [eveith@kazumi:~]% irb
> irb(main):001:0> system("date")
> (irb):1: warning: Insecure world writable dir /tmp/foo in PATH, mode 040777
> Mi 23. Jul 20:09:01 CEST 2014
> => true
> irb(main):002:0> system("/bin/bash", "date")
> /usr/bin/date: /usr/bin/date: Kann die Datei nicht ausfhren.
> => false
> irb(main):003:0> system("/bin/bash", "-c", "date")
> Mi 23. Jul 20:09:22 CEST 2014
> => true
> irb(main):004:0>
> [eveith@kazumi:~]% /bin/bash -c "echo $PATH"
> /tmp/foo:(...omitted...)
> ```
>
>
> Cheers,
> Eric
>