rbenv系统广泛安装导致不安全的操作

[英]rbenv system wide install results in insecure operation

本文翻译自 map7 查看原文 2018/05/23 112 permissions/ rbenv/ rubygems/ ruby

We use thin clients at our company and we have many users using the same box. I've installed rbenv as a system install by following the instructions on the following website;

我们在公司使用瘦客户端,我们有很多用户使用同一个盒子。我按照以下网站上的说明安装了rbenv作为系统安装;

https://blakewilliams.me/posts/system-wide-rbenv-install

This boils down to these commands

这归结为这些命令

cd /usr/local
git clone git://github.com/sstephenson/rbenv.git rbenv
chgrp -R staff rbenv
chmod -R g+rwxXs rbenv

By running the last line there we should be able to install gems as any user of the system which is part of the 'staff' group. We have two developers which are part of that group and neither can install gems.

通过运行最后一行,我们应该能够像系统的任何用户一样安装gem,这是“staff”组的一部分。我们有两个开发人员是该组的一部分,他们都不能安装宝石。

We get the error;

我们得到错误;

~ % gem install cheat         
/usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:332:in `exist?': Insecure operation - exist? (SecurityError)
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:332:in `load_file'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:198:in `initialize'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:75:in `new'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:75:in `do_configuration'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:40:in `run'
    from /usr/local/rbenv/versions/2.3.5/bin/gem:21:in `<main>'
~ % gem install cheat

If I remove the sticky bit from the group then they can add gems but if someone tries to remove a gem installed by someone else this will fail;

如果我从组中删除粘性位然后他们可以添加宝石,但如果有人试图删除由其他人安装的宝石,这将失败;

~ % chmod -R g-s rbenv

How do I allow multiple users install/uninstall gems from a system wide installation of rbenv?

如何允许多个用户从系统范围的rbenv安装中安装/卸载gem?

Update

Here is an example of installations in the /usr/local/rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems directory, as you can see

以下是/usr/local/rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems目录中的安装示例,如您所见

drwxrwxr-x   5 map7  map7  4.0K Jun  4 15:50 unicode-display_width-1.3.3
drwxrwxr-x   5 andre andre 4.0K May 23 13:22 vcr-3.0.3
drwxrwxr-x   3 map7  staff 4.0K Apr 30 11:01 web-console-3.6.2

The solution to this I found as

我发现的解决方案是

  : cd /usr/local/rbenv/versions/2.5.1/lib/ruby/gems/2.5.0
  : sudo chown -R map7:staff gems
  : sudo chmod -R 775 gems
  : sudo chmod g+s gems

1 个解决方案

#1

I took a look at the source code for RubyGems config_file. The error you're encountering is caused by this file operation trying to read $HOME/.gem/credentials (which is hard-coded here).

我看了一下RubyGems config_file的源代码。您遇到的错误是由此文件操作尝试读取$ HOME / .gem / credentials(这里是硬编码)引起的。

Based on this, you could try giving rbenv permission to read $HOME/.gem/credentials for one user and see if that allows the user to install a gem.

基于此,您可以尝试授予rbenv权限以读取一个用户的$ HOME / .gem / credentials,并查看是否允许用户安装gem。

However, exposing anything called "credentials" to all users seems like a dangerous proposition.

但是,向所有用户公开所谓的“凭证”似乎是一个危险的命题。

My understanding is that the credentials file only needs to contain real credentials if you're trying to publish gems, but can be empty for most installs. As this is a shared machine, you're already expecting people to trample on each other's gems occasionally, so giving rbenv access to all gem credentials may be acceptable for you...

我的理解是,如果您尝试发布gem,则凭证文件只需要包含真实凭证,但对于大多数安装可以为空。由于这是一个共享机器,你已经在期待人们偶尔践踏彼此的宝石,所以给你rbenv访问所有宝石证书可能是你可以接受的......

Until it's not. You mentioned that you "don't want to keep two copies on the same machine" but this is more difficult than it seems. Every programming language has a slightly different tool for avoiding Dependency Hell, but many stick to one pattern: every code project gets its copy of all its dependencies. On my machine I have at least five copies of Rails installed by Bundler, across two or three versions. I don't worry about the disk space, I'm just happy I don't have to sort through a thousand dependencies by hand.

直到它不是。你提到你“不想在同一台机器上保留两份副本”,但这比看起来更难。每种编程语言都有一个稍微不同的工具来避免依赖地狱,但许多编程语言坚持一种模式:每个代码项目都获得其所有依赖项的副本。在我的机器上,我有至少五个由Bundler安装的Rails副本,两个或三个版本。我不担心磁盘空间,我很高兴我不需要手工排序一千个依赖项。

智能推荐

注意！

本站翻译的文章，版权归属于本站，未经许可禁止转摘，转摘请注明本文地址：http://www.silva-art.net/blog/2018/05/23/521a85b725d16dc65827d07efc7704d.html。

猜您在找

html2canvas - SecurityError：操作不安全 - html2canvas - SecurityError: The operation is insecure jQuery：Javascript在设置值时抛出错误“操作不安全” - jQuery: Javascript throws Error “The operation is insecure” when setting value 尝试将规则添加到CSS样式表会在Firefox中显示“操作不安全” - Attempt to add a rule to a CSS stylesheet gives “The operation is insecure” in Firefox 尝试安装Rails 3.0.3时，PATH中的不安全世界可写dir / usr / local - Insecure world writable dir /usr/local in PATH when trying to install Rails 3.0.3 Django 1.5终于不安全了？ - Django 1.5 is finally insecure?

赞助商链接