New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work #465

Closed
Leolik opened this Issue Jul 22, 2014 · 13 comments

Comments

Projects
None yet
4 participants
@Leolik

Leolik commented Jul 22, 2014

After save changes in scss file i get this error:

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777)

This bug reproduced in nanoc 3.7.*
If using 3.6.9 all work fine

@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Aug 1, 2014

Member

This seems to be a problem with your filesystem permissions.

If you are using Mac OS X, consider repairing permissions.

Member

ddfreyne commented Aug 1, 2014

This seems to be a problem with your filesystem permissions.

If you are using Mac OS X, consider repairing permissions.

@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Aug 1, 2014

Member

(Permissions for /tmp need to be 1777.)

Member

ddfreyne commented Aug 1, 2014

(Permissions for /tmp need to be 1777.)

@Leolik

This comment has been minimized.

Show comment
Hide comment
@Leolik

Leolik Aug 1, 2014

I use Ubuntu 14.04 amd64. Permissions for /tmp = 777
Bug reproduced in nanoc 3.7.*

Leolik commented Aug 1, 2014

I use Ubuntu 14.04 amd64. Permissions for /tmp = 777
Bug reproduced in nanoc 3.7.*

@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Aug 1, 2014

Member

The permissions for /tmp should be 1777, not 777. Can you still reproduce the bug with permissions set to 1777?

Member

ddfreyne commented Aug 1, 2014

The permissions for /tmp should be 1777, not 777. Can you still reproduce the bug with permissions set to 1777?

@Leolik Leolik closed this Aug 1, 2014

@Leolik Leolik reopened this Aug 1, 2014

@Leolik

This comment has been minimized.

Show comment
Hide comment
@Leolik

Leolik Aug 1, 2014

Sorry, but bug still reproduced ((
I set sudo chmod 1777 /tmp but bug reproduced

Leolik commented Aug 1, 2014

Sorry, but bug still reproduced ((
I set sudo chmod 1777 /tmp but bug reproduced

@ddfreyne ddfreyne changed the title from ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777) to ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work Aug 9, 2014

@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Aug 9, 2014

Member

Not quite sure what’s going wrong here. Can you try chmod with -R and removing /tmp/*nanoc*?

Member

ddfreyne commented Aug 9, 2014

Not quite sure what’s going wrong here. Can you try chmod with -R and removing /tmp/*nanoc*?

@ddfreyne ddfreyne removed this from the 3.7.1 milestone Aug 9, 2014

@Leolik

This comment has been minimized.

Show comment
Hide comment
@Leolik

Leolik Sep 1, 2014

Forgive me for so long did not answer. I try sudo chmod 1777 -R /tmp and removing sudo rm -rf /tmp/*nanoc*, but bug still reproduced ((

Leolik commented Sep 1, 2014

Forgive me for so long did not answer. I try sudo chmod 1777 -R /tmp and removing sudo rm -rf /tmp/*nanoc*, but bug still reproduced ((

@ddfreyne ddfreyne removed the waiting label Sep 6, 2014

@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Sep 6, 2014

Member

It seems like nanoc can just use #rm_rf rather than #remove_entry_secure since it does not need to do the security check for the TOCTTOU vulnerability. Will fix.

@Leolik It is still odd that the problem happens for you, since /tmp is supposed to be excluded from this check anyway. Is /tmp a symlink on your system?

Member

ddfreyne commented Sep 6, 2014

It seems like nanoc can just use #rm_rf rather than #remove_entry_secure since it does not need to do the security check for the TOCTTOU vulnerability. Will fix.

@Leolik It is still odd that the problem happens for you, since /tmp is supposed to be excluded from this check anyway. Is /tmp a symlink on your system?

@ddfreyne ddfreyne added the fix clear label Sep 6, 2014

@ddfreyne ddfreyne modified the milestone: 3.7.4 Sep 6, 2014

@Leolik

This comment has been minimized.

Show comment
Hide comment
@Leolik

Leolik Sep 6, 2014

Ubuntu 14.04
/tmp - not a symlink

Leolik commented Sep 6, 2014

Ubuntu 14.04
/tmp - not a symlink

ddfreyne added a commit that referenced this issue Sep 6, 2014

Use #rm_rf rather than #remove_entry_secure
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see nanoc/nanoc#465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Sep 6, 2014

Member

Potential fix in #474.

Member

ddfreyne commented Sep 6, 2014

Potential fix in #474.

ddfreyne added a commit that referenced this issue Sep 6, 2014

Use #rm_rf rather than #remove_entry_secure
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see nanoc/nanoc#465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne

This comment has been minimized.

Show comment
Hide comment
@ddfreyne

ddfreyne Nov 16, 2014

Member

Fixed by #474.

Member

ddfreyne commented Nov 16, 2014

Fixed by #474.

@ddfreyne ddfreyne closed this Nov 16, 2014

@rajacsti

This comment has been minimized.

Show comment
Hide comment
@rajacsti

rajacsti Feb 11, 2015

Thank you @ddfreyne Defreyne, it saved my day.

rajacsti commented Feb 11, 2015

Thank you @ddfreyne Defreyne, it saved my day.

@sunilpuranik

This comment has been minimized.

Show comment
Hide comment
@sunilpuranik

sunilpuranik Nov 22, 2017

Doing sudo chmod o-w tmp/ worked for me

sunilpuranik commented Nov 22, 2017

Doing sudo chmod o-w tmp/ worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment