tag:help.rubygems.org,2010-01-19:/discussions/suggestions/20-security-concern-with-the-gem-systemRubyGems.org: Discussion 2012-08-04T18:49:32Ztag:help.rubygems.org,2010-01-19:Comment/36270032010-11-03T14:21:24Z2012-08-04T18:40:10ZSecurity Concern with the gem system...<div><p>Suppose I wrote a gem.. Lets call it "rals". It does the
following</p>
<p>1) something Malicious<br>
2) Installs Rails</p>
<p>For bonus points, it would also uninstall itself and try to
suppress "rals successfully installed". (perhaps it spawns a new
thread and then kills the gem process)...</p>
<p>A simple typo could lead to a massive security breach on the
users system. Its particularly bad that many people do "sudo gem
install" so the process is running as root...</p></div>Stephen Blackstonetag:help.rubygems.org,2010-01-19:Comment/36270032012-08-04T18:49:31Z2012-08-04T18:49:31ZSecurity Concern with the gem system...<div><p>Sorry, this comment was buried in our spam inbox. And WOW from
2010! Very buried under tons of Russian spam.</p>
<p><code>gem install</code> can't run any code on the users' system
after install. You have to specifically invoke code within it from
<em>another</em> ruby process. In general, yes, typos are a
problem, but we haven't seen anything yet. Thanks for bringing this
up though.</p></div>Nick Quaranto