Ruby: World-writable directory in PATH.

I’m running ruby -w in my build script, which is producing warnings about /opt/hostedtoolcache/Ruby/2.6.3/x64/bin being world-writable. (Indeed, poking around reveals that all of its parent directories are, too.)

Even if mine is the only process in the virtual environment (mitigating any practical security concerns), I’d still love to keep the build warning-free. I’m currently working around this one by running env -i /usr/bin/ruby -w, but it would be nice to see it fixed upstream.

Thoughts? Thank you!

1 Like

Hi Matthew,

Thank you for taking time to report this!

This warning is due to the directory has been added to your $PATH(the list of directories the OS searches when trying to find an executable to launch),  and permission is writable anyone can write to. This is potential a security problem, Ruby notices this and issues the warning.

However,  the hosted-github runner is a temporary virtual environment which will be deprecated after workflow run complete.  GitHub hosts Linux and Windows runner is a fork of azure pipeline agent, it’s safe and protected. In addition, make the directory in $PATH un-writable by default will cause other problems.

As a workaround, please use below command to change the permissions of the directory so that it is no longer world writable.

chmod go-w /directory

Thanks.

1 Like

Thanks, @weide-zhou, I appreciate your taking the time to respond, and I’m happy to hear this will only be an issue during the beta period.

I had previously tried the chmod route, but I didn’t think to try sudo. Good to know that’ll work!

1 Like