On Nov 24, 2003, at 17:18, Harry Ohlsen wrote:
> Imagine that, say, /export/home is world writeable.  I could make a 
> copy of someone's home directory, say "fred" and change some files in 
> there (eg a script or executable).  If I then move "fred" to 
> "fred.original" and replace it with my modified version, then Fred 
> might run my trojan script/executable.

Right, but say you create such a trojan -- the trojan is the danger, 
not the fact the directory is world writeable.  Running such a trojan 
from within Ruby isn't any more dangerous from running it directly, 
right?

Unless the danger is ruby-related, I don't see why Ruby tells you about 
it.  For example, does the HTTP module warn you when you use 'basic' 
authentication, explaining that it isn't very secure?  Does it warn you 
that you're running Windows, an OS known to have lots of security 
flaws?

I can see the complaint about world writable directories containing 
binaries in a security auditing module, but I'm not convinced about 
popen/system/`

Ben