Please have docs and/or prompts mention `sudo -v` #1028

Closed
lindes opened this Issue Feb 9, 2011 · 9 comments

Comments

Projects
None yet
5 participants

lindes commented Feb 9, 2011

When invoking bundle install, bundler.rb invokes sudo with a -p option, specifying a special prompt. This is a fairly reasonable thing to do. However, as someone who knows that not everybody is reasonable about how and when they ask for passwords, I'm very hesitant to enter my password into a command that I don't know something about the security of. Well, I do know a little about bundle install's security, having looked into where this prompt came from. Before I did so, though, I wasn't about to give it my password, since I didn't really know what it was doing with it.

And so, I have this suggestion:

In documentation, and/or a prompt before the first invocation of sudo, perhaps you could mention that the password prompt can be avoided by running sudo -v (or really, sudo <anything>) and entering your password there, before invoking bundle install. This will still give bundle install root access (possibly even without you realizing it, which is slightly scary), without having to trust the manner in which it's requesting the password. A mention of this (or even of the fact that sudo is being invoked with the -p option) would be helpful, for folks like myself who like to be paranoid about such things. :)

P.S. Since your docs so firmly mention not to run sudo bundle install, I propose that mentioning sudo -v would be a way to get more people to not do so, when scared off by an unfamiliar password prompt.

Member

ixti commented Jul 10, 2013

Docs are saying:

As a result, you should run bundle install as the current user,
and bundler will ask for your password if it is needed to put the
gems into their final location.

From security concerns point of view asking user run sudo -v
before running a command is no better then asking user for a
password inline IMHO.

/cc @indirect

Owner

indirect commented Jul 10, 2013

I think I agree — sudo mode is very seldom used in general (basically only when installing gems into the OS X default ruby's gems). I think documenting that sudo is being invoked is a great thing, and I would happily accept a patch that clarifies that in the documentation and/or the message that prompts for a password.

@indirect indirect closed this Jul 10, 2013

Member

ixti commented Jul 10, 2013

@indirect at the moment it prompts:

Enter your password to install the bundled RubyGems to your system: 

Probably it would be better to change to:

Super-user privileges required to install the bundled RubyGems to your system.
[sudo] password for #{ENV["user"]}:

If it's OK I can open a PR.

Member

ixti commented Jul 10, 2013

Ignore my last comment. Documentation already clearly says why sudo might be required:

In some cases, that location may not be writable by your Unix user. In
that case, bundler will stage everything in a temporary directory,
then ask you for your sudo password in order to copy the gems into
their system location.
...
As a result, you should run bundle install as the current user,
and bundler will ask for your password if it is needed to put the
gems into their final location.

Owner

indirect commented Jul 10, 2013

I think changing the prompt is still a good idea. How about:

Your user account isn't allowed to install to the system Rubygems. You can cancel this installation
and run `bundle install --path vendor/bundle` to install the gems into ./vendor/bundle/, or you can
enter your password to install the bundled gems to Rubygems using sudo.
Password: 
Member

ixti commented Jul 10, 2013

Sounds good. Will provide PR.

Member

ixti commented Jul 11, 2013

Example output of prompt in pull request:

% ruby -I./lib -r "bundler" -e "Bundler.sudo 'ls'"


Your user account isn't allowed to install to the system Rubygems.
You can cancel this installation and run:

    bundle install --path vendor/bundle

to install the gems into ./vendor/bundle/, or you can enter your password
and install the bundled gems to Rubygems using sudo.

Password: 

Running into this also. Using rbenv, I'm not sure why it's not being picked up there. No other errors like this appeared until I ran bundle install.

❯ bundle
Fetching gem metadata from https://rubygems.org/.........
Fetching additional metadata from https://rubygems.org/..
Resolving dependencies...
Using columnize (0.3.6)Using debugger-linecache (1.2.0)Using rake (10.1.0)Using coderay (1.1.0)



Using debugger-ruby_core_source (1.2.4)
Using diff-lcs (1.2.5)
Using hashie (2.0.5)
Using method_source (0.8.2)
Using net-ldap (0.3.1)
Using rack (1.5.2)
Using pyu-ruby-sasl (0.0.3.3)
Using slop (3.4.7)Using rubyntlm (0.1.1)

Using yard (0.8.7.3)
Using bundler (1.5.0.rc.1)
Using rspec-core (2.14.7)
Using rspec-mocks (2.14.4)
Using rspec-expectations (2.14.4)
Using rack-test (0.6.2)
Using pry (0.9.12.4)
Using omniauth (1.1.4)
Using rspec (2.14.1)
Using pry-doc (0.4.6)
Using omniauth-ldap (1.0.4)

Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/bin/ruby extconf.rb
checking for rb_method_entry_t.called_id in method.h... no
checking for rb_control_frame_t.method_id in method.h... no
checking for rb_method_entry_t.called_id in method.h... no
checking for rb_control_frame_t.method_id in method.h... no
checking for rb_method_entry_t.called_id in method.h... yes
checking for vm_core.h... yes
checking for iseq.h... no
Makefile creation failed
*************************************************************

  NOTE: If your headers were not found, try passing
        --with-ruby-include=PATH_TO_HEADERS

*************************************************************

*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
    --with-opt-dir
    --without-opt-dir
    --with-opt-include
    --without-opt-include=${opt-dir}/include
    --with-opt-lib
    --without-opt-lib=${opt-dir}/lib
    --with-make-prog
    --without-make-prog
    --srcdir=.
    --curdir
    --ruby=/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/bin/ruby
    --with-ruby-dir
    --without-ruby-dir
    --with-ruby-include
    --without-ruby-include=${ruby-dir}/include
    --with-ruby-lib
    --without-ruby-lib=${ruby-dir}/


Gem files will remain installed in /Users/kevinsuttle/.bundler/tmp/10516/gems/debugger-1.6.3 for inspection.
Results logged to /Users/kevinsuttle/.bundler/tmp/10516/gems/debugger-1.6.3/ext/ruby_debug/gem_make.out

An error occurred while installing debugger (1.6.3), and Bundler cannot continue.
Make sure that `gem install debugger -v '1.6.3'` succeeds before bundling.

Although, ``gem install debugger -v '1.6.3'` works fine.

@kevinSuttle kevinSuttle referenced this issue in rbenv/rbenv Dec 16, 2013

Closed

Why is system Ruby so stingy? #506

Contributor

xaviershay commented Dec 17, 2013

This has already been merged and is in latest pre-releases. If those don't fix it for you, please open a new ticket with the information requested in ISSUES.md. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment