Maybe I’m just being paranoid here, but I’m starting to get a little worried that RubyGems could be a nasty attack vector, given certain combinations of malice and stupidity.
Six months ago, the
picked up some collaborators with way more Ruby-savvy than I have, and in
short order they moved it to RubyForge and
made it into a Gem.
Which means that anyone who uses RubyGems, i.e. every Ruby developer
in the world, can type
sudo gem install ape
then when they type
ape_server, there’s a mongrel and a handy
local Ape running on port 4000. What’s not to like?
Well, I eventually came to wonder, where is
/usr/bin, it turns out. Which is in root’s path on OS X,
GNU/Linux, and Solaris. OK then, so if gem routinely dumps programs in
/usr/bin, who’s entitled to create Gems? Anyone with a RubyForge
account, it seems. So, how do you get one of those? Well, by going to
rubyforge.org and clicking on “New
Am I being paranoid, or is this maybe a problem?
Scenario: J. Evil Hacker creates a
naked_celebrity_video gem and
announces it to the world. Installing it, as a side-effect, creates
/usr/bin/ls. Or, J.E.H. submits some good patches to a
well-known gem and eventually gets blessed as a committer:
/usr/bin/ls. Or, J.E.H. manages to get access to a logged-on
computer belonging to a well-known gem maintainer; someone who knows what
they’re doing, given about fifteen minutes:
OK... once you’ve typed
on your computer, you’ve offered up the keys to your kingdom and arguably lost the right to complain. But you know, I have this feeling that it might be a good idea, as Ruby becomes more and more mainstream, if there were a few warning fenceposts put up around the
gem command. And if anyone’s thinking of a synaptic-like
RubyGems GUI, let’s please make sure people know what they’re doing.
And if (unlikely) there are any gem maintainers who hadn’t thought about
this... be careful.