Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work #465

Closed
Leolik opened this issue Jul 22, 2014 · 13 comments
Closed

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work #465

Leolik opened this issue Jul 22, 2014 · 13 comments
Labels
type:bug 🐛
Milestone
3.7.4

Comments

@Leolik
Copy link

Leolik commented Jul 22, 2014

After save changes in scss file i get this error:

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777)

This bug reproduced in nanoc 3.7.*
If using 3.6.9 all work fine
@denisdefreyne
Copy link
Member

This seems to be a problem with your filesystem permissions.

If you are using Mac OS X, consider repairing permissions.

@denisdefreyne
Copy link
Member

(Permissions for /tmp need to be 1777.)

@Leolik
Copy link
Author

Leolik commented Aug 1, 2014

I use Ubuntu 14.04 amd64. Permissions for /tmp = 777
Bug reproduced in nanoc 3.7.*

@denisdefreyne
Copy link
Member

The permissions for /tmp should be 1777, not 777. Can you still reproduce the bug with permissions set to 1777?

@Leolik Leolik closed this as completed Aug 1, 2014
@Leolik Leolik reopened this Aug 1, 2014
@Leolik
Copy link
Author

Leolik commented Aug 1, 2014

Sorry, but bug still reproduced ((
I set sudo chmod 1777 /tmp but bug reproduced

@denisdefreyne denisdefreyne changed the title ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777) ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work Aug 9, 2014
@denisdefreyne
Copy link
Member

Not quite sure what’s going wrong here. Can you try chmod with -R and removing /tmp/*nanoc*?

@denisdefreyne denisdefreyne removed this from the 3.7.1 milestone Aug 9, 2014
@Leolik
Copy link
Author

Leolik commented Sep 1, 2014

Forgive me for so long did not answer. I try sudo chmod 1777 -R /tmp and removing sudo rm -rf /tmp/*nanoc*, but bug still reproduced ((

@denisdefreyne
Copy link
Member

It seems like nanoc can just use #rm_rf rather than #remove_entry_secure since it does not need to do the security check for the TOCTTOU vulnerability. Will fix.

@Leolik It is still odd that the problem happens for you, since /tmp is supposed to be excluded from this check anyway. Is /tmp a symlink on your system?

@denisdefreyne denisdefreyne modified the milestone: 3.7.4 Sep 6, 2014
@Leolik
Copy link
Author

Leolik commented Sep 6, 2014

Ubuntu 14.04
/tmp - not a symlink

denisdefreyne added a commit that referenced this issue Sep 6, 2014
@denisdefreyne
Use #rm_rf rather than #remove_entry_secure
ff596cd 
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@denisdefreyne denisdefreyne mentioned this issue Sep 6, 2014
Merged
@denisdefreyne
Copy link
Member

Potential fix in #474.

denisdefreyne added a commit that referenced this issue Sep 6, 2014
@denisdefreyne
Use #rm_rf rather than #remove_entry_secure
aeb7115 
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@denisdefreyne
Copy link
Member

Fixed by #474.

@rajacsti
Copy link

Thank you @ddfreyne Defreyne, it saved my day.

@allenzhao allenzhao mentioned this issue Jul 2, 2016
Merged
@sunilpuranik
Copy link

Doing sudo chmod o-w tmp/ worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug 🐛
Projects
None yet
Milestone
3.7.4
Development

No branches or pull requests
4 participants
@denisdefreyne @Leolik @sunilpuranik @rajacsti