Fixing gem files permissions

Eric freebsdlists-ruby at chillibear.com
Tue Jun 7 18:31:23 UTC 2011 

> From: Romain Tartière <romain at FreeBSD.org>
> I would like to know if there is some 'standard' way for the rubygems-*
> ports for fixing wrong files permissions.

Not that I'm personally aware of, but other more experienced people on this
list may know better.

> It appears that
> getopt-declare (not in the ports tree, it's a dependency of another port
> I would like to push) install files in a weird fashion:
> 
> ------------------------------8<---------------------------
> ===> SECURITY REPORT:
>       This port has installed the following world-writable files/directories.
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/ge
> topt-declare.gemspec
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/sa
> mples/cmdline_singles.rb
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/sa
> mples/cmdline_array.rb
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/sa
> mples/cmdline_usage.rb
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/te
> st/test_cmdline_parameters.rb
> /tmp/rubygem-getopt-declare-1.29/lib/ruby/gems/1.8/gems/getopt-declare-1.29/RE
> ADME.txt
> [...]
> ------------------------------8<---------------------------
> 
> My current workaround is:
> 
> ------------------------------8<---------------------------
> post-install:
>        @${FIND} ${PREFIX}/${GEM_LIB_DIR} -type f -exec ${CHMOD} 444 '{}' ';'
> ------------------------------8<---------------------------
> 
> I am not really happy with this.  Is there a better way to fix this?

I don't think there is an easy place other than the post-install target
where you can 'patch' gems since the other stages of the port build process
do little for a gem, given it's mainly a wrapper for the gem installer
itself.

I remember had to do similar things with a couple of gems I use personally
(can't remember if I've submitted those as ports yet).  The only thing I'd
say is to restrict your 'fix' to just those files your 'getopt-declare' gem
installs rather than make all the contents of the Gem lib dir 444 and
potentially cause a headache somewhere else.  So something more like (I note
from a quick glance in my own Gem libs that they tend to be root/wheel and
644)

post-install:
  @${FIND} ${PREFIX}/${GEM_LIB_DIR}/${PORTNAME}-${PORTVERSION} -type f -exec
${CHMOD} 644 '{}' ';'

I'd also pop a comment in the Makefile so someone following knows why you've
done it.
 
> I am not used with Ruby gems packaging, and I would like to be sure that
> this is a problem that should be signaled upstream before acting: is it?

I've never looked at the Gem internals to see how it determines file
permissions of those files it installs, but given it *appears* to be a bug
you'd do well to flag it to upstream and see what they say.

Regards

Eric

More information about the freebsd-ruby mailing list