Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work #465

Closed
Leolik opened this issue Jul 22, 2014 · 13 comments

Comments

Projects
None yet
4 participants
@Leolik
Copy link

commented Jul 22, 2014

After save changes in scss file i get this error:

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777)

This bug reproduced in nanoc 3.7.*
If using 3.6.9 all work fine

@ddfreyne

This comment has been minimized.

Copy link
Member

commented Aug 1, 2014

This seems to be a problem with your filesystem permissions.

If you are using Mac OS X, consider repairing permissions.

@ddfreyne

This comment has been minimized.

Copy link
Member

commented Aug 1, 2014

(Permissions for /tmp need to be 1777.)

@Leolik

This comment has been minimized.

Copy link
Author

commented Aug 1, 2014

I use Ubuntu 14.04 amd64. Permissions for /tmp = 777
Bug reproduced in nanoc 3.7.*

@ddfreyne

This comment has been minimized.

Copy link
Member

commented Aug 1, 2014

The permissions for /tmp should be 1777, not 777. Can you still reproduce the bug with permissions set to 1777?

@Leolik Leolik closed this Aug 1, 2014

@Leolik Leolik reopened this Aug 1, 2014

@Leolik

This comment has been minimized.

Copy link
Author

commented Aug 1, 2014

Sorry, but bug still reproduced ((
I set sudo chmod 1777 /tmp but bug reproduced

@ddfreyne ddfreyne changed the title ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777) ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work Aug 9, 2014

@ddfreyne

This comment has been minimized.

Copy link
Member

commented Aug 9, 2014

Not quite sure what’s going wrong here. Can you try chmod with -R and removing /tmp/*nanoc*?

@ddfreyne ddfreyne removed this from the 3.7.1 milestone Aug 9, 2014

@Leolik

This comment has been minimized.

Copy link
Author

commented Sep 1, 2014

Forgive me for so long did not answer. I try sudo chmod 1777 -R /tmp and removing sudo rm -rf /tmp/*nanoc*, but bug still reproduced ((

@ddfreyne ddfreyne removed the waiting label Sep 6, 2014

@ddfreyne

This comment has been minimized.

Copy link
Member

commented Sep 6, 2014

It seems like nanoc can just use #rm_rf rather than #remove_entry_secure since it does not need to do the security check for the TOCTTOU vulnerability. Will fix.

@Leolik It is still odd that the problem happens for you, since /tmp is supposed to be excluded from this check anyway. Is /tmp a symlink on your system?

@ddfreyne ddfreyne added the fix clear label Sep 6, 2014

@ddfreyne ddfreyne modified the milestone: 3.7.4 Sep 6, 2014

@Leolik

This comment has been minimized.

Copy link
Author

commented Sep 6, 2014

Ubuntu 14.04
/tmp - not a symlink

ddfreyne added a commit that referenced this issue Sep 6, 2014

Use #rm_rf rather than #remove_entry_secure
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne

This comment has been minimized.

Copy link
Member

commented Sep 6, 2014

Potential fix in #474.

ddfreyne added a commit that referenced this issue Sep 6, 2014

Use #rm_rf rather than #remove_entry_secure
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne

This comment has been minimized.

Copy link
Member

commented Nov 16, 2014

Fixed by #474.

@ddfreyne ddfreyne closed this Nov 16, 2014

@rajacsti

This comment has been minimized.

Copy link

commented Feb 11, 2015

Thank you @ddfreyne Defreyne, it saved my day.

@sunilpuranik

This comment has been minimized.

Copy link

commented Nov 22, 2017

Doing sudo chmod o-w tmp/ worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.