On Jul 23, 2014, at 11:12, Eric MSP Veith <eveith / wwweb-library.net> =
wrote:

> On Wednesday 23 July 2014, 10:15:31, Jon Hart wrote:
>> I can't help you fix this problem without seeing your code, but the =
problem
>> is pretty straight forward and the warning message is not something =
that
>> should be taken lightly. This warning occurs when your PATH contains
>> something that is world writable and your Ruby code calls something =
like
>> system(cmd) or other method whose behavior is impacted by PATH.  If =
PATH
>> contains a world writable location and the command that you are =
trying to
>> execute can be found in that world writable location before its =
legitimate,
>> (hopefully) non-world-writable location, your ruby code will end up
>> executing potentially malicious code.
>=20
> Again, I guess this is a feature of zsh:
>=20
> ```
> [eveith@kazumi:~]% irb
> irb(main):001:0> system("date")
> (irb):1: warning: Insecure world writable dir /tmp/foo in PATH, mode =
040777
> Mi 23. Jul 20:09:01 CEST 2014
> =3D> true
> irb(main):002:0> system("/bin/bash", "date")
> /usr/bin/date: /usr/bin/date: Kann die Datei nicht ausf=FChren.
> =3D> false
> irb(main):003:0> system("/bin/bash", "-c", "date")
> Mi 23. Jul 20:09:22 CEST 2014
> =3D> true
> irb(main):004:0>
> [eveith@kazumi:~]% /bin/bash -c "echo $PATH"
> /tmp/foo:(...omitted...)
> ```

You didn't read any of his explanation. He clearly explains how and why =
this happens. It has nothing to do with zsh. A simple grep will show =
that it is ruby:

% grep -C5 "Insecure world writable dir" file.c
	if (STAT(p0, &st) =3D=3D 0 && S_ISDIR(st.st_mode) && (st.st_mode =
& S_IWOTH)
#ifdef S_ISVTX
	    && !(p && execpath && (st.st_mode & S_ISVTX))
#endif
	    && !access(p0, W_OK)) {
	    rb_warn("Insecure world writable dir %s in %sPATH, mode 0%"
		    PRI_MODET_PREFIX"o",
		    p0, (execpath ? "" : "LOAD_"), st.st_mode);
	    if (p) *p =3D '/';
	    RB_GC_GUARD(path);
	    return 0;