Run Ruby under restricted account

[brunoslav]

This project is for Ruby version 2.4 and newer.
For Ruby versions < 2.4 please file an issue here.

What problems are you experiencing?

I've successfully downloaded and installed Ruby+Devkit 2.4.4-1 (x64). The installation folder is C:\Ruby24-x64.
My program is running as a Windows service under restricted account, which has all permission denied on the C:\ (except C:\Ruby24-x64 ). This service runs Ruby programs via console.
When I try to run it, I get:

C:/Ruby24-x64/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:59:in require': cannot load such file -- test/unit/autorunner (LoadError) from C:/Ruby24-x64/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:59:in require'

All is working as expected if I give permission to this user on the C:\

Steps to reproduce

Create new Windows user and deny all rights on C:\ (allow only on Ruby installation folder).

What's the output from ridk version?

---

ruby:
path: C:/Ruby24-x64
version: 2.4.4
platform: x64-mingw32
ruby_installer:
package_version: 2.4.4-1
git_commit: 21c8dc3
msys2:
path: C:\Ruby24-x64\msys64
cc: x86_64-w64-mingw32-gcc (Rev1, Built by MSYS2 project) 7.3.0
sh: GNU bash, version 4.4.19(2)-release (x86_64-pc-msys)
os: Microsoft Windows [Version 10.0.16299.309]

[larskanis]

I can reproduce this issue. It is due to the way how Dir[] works on Windows. This returns an empty Array if there is any directory within the whole path, without read permission. This is different on Linux, where only the directory where the pattern is applied must be readable.

Dir[] is used several times in rubygems and it's therefore not possible to load any gems. It's possible to workaround this issue with the base: parameter introduced in ruby-2.5. I modified rubygems so that it makes use of this call form: rubygems/rubygems@master...larskanis:use-dir-glob-with-base

With this modification it's possible to use gems without read permission in the root path of the ruby installation. However I doubt, that this modification will be accepted upstream. It will require a bunch of additional changes for compatibility with older rubies, it's for a very narrow use case on Windows only and it doesn't have any effect on POSIX systems. So I'll not open a PR on this.

When the ruby process is started with ruby -d it prints a warning about the permission issue:

ruby -d -e "p Dir['C:/ruby24-x64/some/deeper/path/*'"
-e:1: warning: replace_real_basename: C:/Ruby24-x64: Permission denied

So this message is probably printed here: https://github.com/ruby/ruby/blob/v2_4_4/dir.c#L1638

Unfortunately I don't have a clue what has to be changed to let Dir[] work like on Linux.

[brunoslav]

Thanks! I've updated the files you have edited and all is working as expected.
This issue was not present with Ruby 2.2.* versions, I've first spotted it on 2.3.* versions, but I also had some other issues so I didn't report this earlier.
As you have said, this is a very narrow use case so this fix will work for now,

[mohits]

Hi @brunoslav / @larskanis - do you see a reason that we leave this open, or may we close it?

[brunoslav]

Hi @mohits - fine by me - we can close this.