rvmrc umask changes umask globally #628

Closed
doits opened this Issue Dec 4, 2011 · 12 comments

Comments

Projects
None yet
4 participants

doits commented Dec 4, 2011

hello,

i installed the latest rvm head as a multi-user install on my ubuntu lucid server. it created a /etc/rvmrc with this:

umask g+w

now, the following happens after i log in:

Last login: Sun Dec  4 16:18:20 2011 from xxx
markus:~$ umask
0022
markus:~$ cd
markus:~$ umask
0002
markus:~$ umask 0022
markus:~$ umask
0022
markus:~$ cd /
markus:/$ umask
0002
markus:/$ 

so after I change the directory (doesn't matter where I go, tested it multiple times), the umask g+w is executed. If I remove the line, umask is not changed. is this supposed to do this? If yes, why? (It should be mentioned in the docs if that is supposed to be like that - it took me some time to track down that rvm is changing my umask ...)

@ghost ghost assigned mpapis Dec 4, 2011

@mpapis mpapis closed this in b892dfe Dec 4, 2011

IMO, this is a huge security flaw. People who use rvm need to be aware of this issue. They also need to know to remove /etc/profile.d/rvm.sh so that the newer version will replace it.

Owner

mpapis commented Dec 10, 2011

@citrusmoose this is default behavior for rvm system installation for a long time, it's just base assumption of rvm system installation that users of rvm group are getting access to everything in rvm, as a side effect this was applied to more then just rvm, but rvm system installation is discouraged, it requires higher level of administrative skills including knowledge of umasking properly system,

also this bug is only applicable only on folders that are chown g+s and chmod :rvm eventually it will hit systems encouraging single base group for all users (like group users) but this behavior was dropped in linux world a few years ago

doits commented Dec 10, 2011

@mpapis thanks for fixing it.

But I am not sure: Wouldn't it be better to allow users of the group rvm to use rvm (e.g. choose their default ruby, use the installed gems), but to update and install gems they would have to use rvmsudo? Because otherwise a malicious user can add some bogus code to rvm which will get executed for every other user. And having rvm installed e.g. on a 100+ user server, it would be a waste of space if every user installs its own rvm and ruby in his home dir.

I'm no expert on rvm, but does it currently work that way for users not in the rvm-group? They can use ruby and the gems, but not update/change them?

@mpapis I'm not questioning using the rvm group, or how you permission the installation directory. My problem is with this "side effect". It's not a "side effect", it's a security flaw. Regardless of whether system wide installation is discouraged or not, there are plenty of users that have gone this route. Understanding umask, and having umask changed out from underneath you (and not being aware of it) are two different things. They need to be aware of the flaw so they can upgrade rvm, and correct any directory/file permissions born from this bug.

I'm not sure what you're trying to say about which directories are affected by the bug. umask affects every newly created file or directory. This would apply to any user who has sourced /etc/profile.d/rvm.sh, whether implicitly or explicitly. Now, I agree that for some users, this won't be an issue do to the single user groups they belong to, but again, there are plenty of systems that don't do this, and plenty of users who have upgraded from early versions of linux, keeping their old users/groups.

Owner

mpapis commented Dec 10, 2011

@doits @citrusmoose i have nothing against adding a note in installer/upgrade, juts the thing is nobody reads them :(

Owner

mpapis commented Dec 11, 2011

@doits and to adress your concerns on allowing users to do to much, just do not add anyone to group rvm, allow installing rubies only to trusted users by managing sudo access, and make users use separate gemsets per user with rvm user gemsets run as user - it will generate .rvmrc file and .rvm with required subdirs, also use it as template for /etc/skel so new users are setup per default. as a last step you might create a greeting ,essage for your users displaing information on creating and using gemsets for gems separation.

This should be a lot better for separation of users. it's called 'rvm mixed mode' and i try to find time to describe it on rvm-site - installation

Owner

mpapis commented Dec 11, 2011

mixed mode described, also a new switch --auto added to rvm get ... so you can now just call rvm get head && rvm get head --auto and the files will be automatically updated - the first call to rvm get head is required to load the new code supporting --auto switch

Member

lemoinem commented Sep 21, 2012

Hello,

I'm using RVM 1.15.9 (stable), in mixed mode, fresh install (installed on a brand new server this week) and just discovered this issue...

RVM is messing around with my users' umask, even if they don't belong to the rvm group! I'm using my groups to setup fine tuned permissions and don't really need RVM to be doing that...

I'm using mixed mode (each user created is forced to run the command rvm user gemsets).

Moreover, the Mixed Mode is not very well documented... :

"additional configuration is needed for every user (or in /etc/skel)" what configuration? rvm user gemsets? Does that mean I need to put that into my users .bashrc?

You also mention not having anybody in the rvm group (and thus preventing the messed up umask), How do I do that? Do I simply rvmsudo rvm install 1.8.2 each time i need to install/upgrade a new Ruby (This would be perfectly acceptable)?

BTW, I can see the three issues #1010, #657 and #628, Although the fixes are supposed to be in the stable branch (I double checked: the commits ARE part of the stable branch).

Do you plan to fix this issue soon? If I make sure to use rvmsudo to install my new rubies, can I comment /etc/rvmrc and get my default umask (067) back?

Owner

mpapis commented Sep 22, 2012

Hello @lemoinem,

  1. documentation: yes rvm user gemsets, you can read a bit more about this in rvm help user, and no nothing should be put in users .bashrc
  2. if not using rvm group then rvmsudo rvm install ... would be an option, but it has to be run from separate user, the one that does not use mixed mode as rvmsudo would export user settings to the root session and make the installer put part of ruby installation into the user directories
  3. I'm sorry this issue is still not fixed for you:

3a. commenting the entry in /etc/rvmrc is an option if you do not need rvm group

3b. open a new issue as your problem does not have to be related to this one, in the new issue include a trace of the commands that break your environment settings,

example:

{check before}
rvm --trace use 1.9.3
{check after}
Owner

mpapis commented Sep 22, 2012

maybe I should also mention that this will not be an problem in RVM 2 as we will use different shell manipulation model which basically avoids this issue

Member

lemoinem commented Sep 22, 2012

Hi,

Thanks a lot for your answer and the precisions on how to use the mixed mode! Very helpful!

If updating the documentation/website is something that can be done via github, please tell me which repo/branch to modify and I'll be happy to provide a PR to this end.

I will check and open a new issue as you advised, however, the symptoms are exactly the one described here, that's why I though it was the same issue.

The RVM2 note is very interesting, is there currently an ETA regarding RVM2?

Owner

mpapis commented Sep 22, 2012

the site is available here https://github.com/wayneeseguin/rvm-site - you can either edit in place or follow instructions from readme.

RVM2 is in planning / prototyping stage, progress on it highly depends on number of issues and support time for RVM1. There should be some news before end of year(2012).

mpapis added a commit that referenced this issue Sep 23, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment