Security Concern with the gem system...

Stephen Blackstone's Avatar

Stephen Blackstone

03 Nov, 2010 02:21 PM

Suppose I wrote a gem.. Lets call it "rals". It does the following

1) something Malicious
2) Installs Rails

For bonus points, it would also uninstall itself and try to suppress "rals successfully installed". (perhaps it spawns a new thread and then kills the gem process)...

A simple typo could lead to a massive security breach on the users system. Its particularly bad that many people do "sudo gem install" so the process is running as root...

  1. Support Staff 1 Posted by Nick Quaranto on 04 Aug, 2012 06:49 PM

    Nick Quaranto's Avatar

    Sorry, this comment was buried in our spam inbox. And WOW from 2010! Very buried under tons of Russian spam.

    gem install can't run any code on the users' system after install. You have to specifically invoke code within it from another ruby process. In general, yes, typos are a problem, but we haven't seen anything yet. Thanks for bringing this up though.

  2. Nick Quaranto closed this discussion on 04 Aug, 2012 06:49 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac