Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work #465

Closed
Leolik opened this issue Jul 22, 2014 · 13 comments
Milestone

Comments

@Leolik
Copy link

@Leolik Leolik commented Jul 22, 2014

After save changes in scss file i get this error:

ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777)

This bug reproduced in nanoc 3.7.*
If using 3.6.9 all work fine

@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Aug 1, 2014

This seems to be a problem with your filesystem permissions.

If you are using Mac OS X, consider repairing permissions.

@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Aug 1, 2014

(Permissions for /tmp need to be 1777.)

@Leolik
Copy link
Author

@Leolik Leolik commented Aug 1, 2014

I use Ubuntu 14.04 amd64. Permissions for /tmp = 777
Bug reproduced in nanoc 3.7.*

@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Aug 1, 2014

The permissions for /tmp should be 1777, not 777. Can you still reproduce the bug with permissions set to 1777?

@Leolik Leolik closed this Aug 1, 2014
@Leolik Leolik reopened this Aug 1, 2014
@Leolik
Copy link
Author

@Leolik Leolik commented Aug 1, 2014

Sorry, but bug still reproduced ((
I set sudo chmod 1777 /tmp but bug reproduced

@ddfreyne ddfreyne changed the title ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: "/tmp/nanoc20140722-4298-1yqtg2j/text_items" (parent directory mode 40777) ArgumentError: parent directory is world writable, FileUtils#remove_entry_secure does not work Aug 9, 2014
@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Aug 9, 2014

Not quite sure what’s going wrong here. Can you try chmod with -R and removing /tmp/*nanoc*?

@ddfreyne ddfreyne removed this from the 3.7.1 milestone Aug 9, 2014
@Leolik
Copy link
Author

@Leolik Leolik commented Sep 1, 2014

Forgive me for so long did not answer. I try sudo chmod 1777 -R /tmp and removing sudo rm -rf /tmp/*nanoc*, but bug still reproduced ((

@ddfreyne ddfreyne removed the waiting label Sep 6, 2014
@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Sep 6, 2014

It seems like nanoc can just use #rm_rf rather than #remove_entry_secure since it does not need to do the security check for the TOCTTOU vulnerability. Will fix.

@Leolik It is still odd that the problem happens for you, since /tmp is supposed to be excluded from this check anyway. Is /tmp a symlink on your system?

@ddfreyne ddfreyne added this to the 3.7.4 milestone Sep 6, 2014
@ddfreyne ddfreyne added this to the 3.7.4 milestone Sep 6, 2014
@Leolik
Copy link
Author

@Leolik Leolik commented Sep 6, 2014

Ubuntu 14.04
/tmp - not a symlink

ddfreyne added a commit that referenced this issue Sep 6, 2014
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Sep 6, 2014

Potential fix in #474.

ddfreyne added a commit that referenced this issue Sep 6, 2014
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see #465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure
@ddfreyne
Copy link
Member

@ddfreyne ddfreyne commented Nov 16, 2014

Fixed by #474.

@ddfreyne ddfreyne closed this Nov 16, 2014
@rajacsti
Copy link

@rajacsti rajacsti commented Feb 11, 2015

Thank you @ddfreyne Defreyne, it saved my day.

@sunilpuranik
Copy link

@sunilpuranik sunilpuranik commented Nov 22, 2017

Doing sudo chmod o-w tmp/ worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants