[Security] Files are writable to every user after installation
Closed this issue · 3 comments
This topic came up, after IT Security scanned some servers wer are using the gem on. I validated this on different linux systems and macOS. Is there a need for the 0666 file permissions after installation? Generally 0664, 0644, 0640 or even lower should be sufficient here. I had a look at the gem and could not find the code which modifies the files.
file permissions in Git:
-rw-r--r-- 1 1,0K 30 Nov 09:55 LICENSE
-rw-r--r-- 1 2,8K 30 Nov 09:55 README.md
-rw-r--r-- 1 2,7K 30 Nov 09:55 lib/toml-rb.rb
-rw-r--r-- 1 153B 30 Nov 09:55 lib/toml-rb/array.rb
-rw-r--r-- 1 1,0K 30 Nov 09:55 lib/toml-rb/datetime.rb
-rw-r--r-- 1 2,7K 30 Nov 09:55 lib/toml-rb/dumper.rb
-rw-r--r-- 1 350B 30 Nov 09:55 lib/toml-rb/errors.rb
-rw-r--r-- 1 727B 30 Nov 09:55 lib/toml-rb/grammars/array.citrus
-rw-r--r-- 1 1,2K 30 Nov 09:55 lib/toml-rb/grammars/document.citrus
-rw-r--r-- 1 244B 30 Nov 09:55 lib/toml-rb/grammars/helper.citrus
-rw-r--r-- 1 3,0K 30 Nov 09:55 lib/toml-rb/grammars/primitive.citrus
-rw-r--r-- 1 559B 30 Nov 09:55 lib/toml-rb/inline_table.rb
-rw-r--r-- 1 1,5K 30 Nov 09:55 lib/toml-rb/keyvalue.rb
-rw-r--r-- 1 1,1K 30 Nov 09:55 lib/toml-rb/parser.rb
-rw-r--r-- 1 1,4K 30 Nov 09:55 lib/toml-rb/string.rb
-rw-r--r-- 1 1,1K 30 Nov 09:55 lib/toml-rb/table.rb
-rw-r--r-- 1 1,2K 30 Nov 09:55 lib/toml-rb/table_array.rb
-rw-r--r-- 1 69B 30 Nov 09:55 lib/toml-rb/version.rb
after installation:
-rw-rw-rw- 1 1,0K 30 Nov 10:04 LICENSE
-rw-rw-rw- 1 2,8K 30 Nov 10:04 README.md
-rw-rw-rw- 1 2,7K 30 Nov 10:04 lib/toml-rb.rb
-rw-rw-rw- 1 153B 30 Nov 10:04 lib/toml-rb/array.rb
-rw-rw-rw- 1 1,0K 30 Nov 10:04 lib/toml-rb/datetime.rb
-rw-rw-rw- 1 2,7K 30 Nov 10:04 lib/toml-rb/dumper.rb
-rw-rw-rw- 1 350B 30 Nov 10:04 lib/toml-rb/errors.rb
-rw-rw-rw- 1 727B 30 Nov 10:04 lib/toml-rb/grammars/array.citrus
-rw-rw-rw- 1 1,2K 30 Nov 10:04 lib/toml-rb/grammars/document.citrus
-rw-rw-rw- 1 244B 30 Nov 10:04 lib/toml-rb/grammars/helper.citrus
-rw-rw-rw- 1 3,0K 30 Nov 10:04 lib/toml-rb/grammars/primitive.citrus
-rw-rw-rw- 1 559B 30 Nov 10:04 lib/toml-rb/inline_table.rb
-rw-rw-rw- 1 1,5K 30 Nov 10:04 lib/toml-rb/keyvalue.rb
-rw-rw-rw- 1 1,1K 30 Nov 10:04 lib/toml-rb/parser.rb
-rw-rw-rw- 1 1,4K 30 Nov 10:04 lib/toml-rb/string.rb
-rw-rw-rw- 1 1,1K 30 Nov 10:04 lib/toml-rb/table.rb
-rw-rw-rw- 1 1,2K 30 Nov 10:04 lib/toml-rb/table_array.rb
-rw-rw-rw- 1 69B 30 Nov 10:04 lib/toml-rb/version.rb
@SimonHoenscheid I agree. I don't think there is a need for the 0666 file permissions.
However, I don't see a relationship between the gem and your installation process.
When you clone the repo, file permissions are correct, as you flagged. I gues it is a problem with the dependency manager or the way you use to install gems 🤔
What is your dependency manager? (including version)
Does that happen with toml-rb only? Or there are other gems with the same "problem"?
@emancu what do you mean by dependency manager? A tool like bundle? I just tried with gem install. I checked with normal ruby, but the issue was initially discovered inside a puppet installation using jRuby.
@SimonHoenscheid yeah, I meant bundle or just gem install.
🤔 I don't see a problem with toml-rb in particular, if you clone the repository and point your GEM PATH to it, you will get the right permissions, so I assume it is a problem with the tools you use to install gems.
What about other gems?
On the other hand, if you know what is wrong with toml-rb and you want to fix it, I'm happy to review a PR fixing this problem.