Skip to content
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.

Do not check the entire user_home for writing #5708

Closed
bibendi opened this issue Jun 7, 2017 · 4 comments
Closed

Do not check the entire user_home for writing #5708

bibendi opened this issue Jun 7, 2017 · 4 comments
Labels
type: feature-request

Comments

@bibendi
Copy link

bibendi commented Jun 7, 2017

Our admins say that having a user_home for writing is not safe.

One of many examples: http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt

An approximate solution to the problem bibendi@a8630e7

Or if the current use of the temporary folder is the solution, then how to get rid of this message

`/home/pc` is not writable.
Bundler will use `/tmp/bundler/home/merkushin' as your home directory temporarily.
@colby-swandale
Copy link
Member

Hi @bibendi can you explain in more detail what the problem is?

@bibendi
Copy link
Author

bibendi commented Jun 7, 2017

  • Our $HOME is not writeable.
  • We can mkdir$HOME/.bundler with write-permissions, but this does not solve the problem.
  • If the current use of the temporary folder is the solution, which in general is not affected by anything, then how to get rid of warning message?

@bountytesting123
Copy link

We are currently running into this issue as well. We're trying to setup a read-only, immutable docker container to run our application inside of for our CI and Production environments (We do mount a tmpfs volume at /tmp for any temporary files such as pid files.)

We run our bundle install command in the Dockerfile (before we make our filesystem readonly), however the code path mentioned by @bibendi is hit anytime the bundle command is run and there doesn't appear to be any environment variable available to prevent bundler from checking that the user's home directory is writeable. From there it will show the warning message and create the tmp directory at /tmp/bundler/home/#{user} even though it never uses it.

$ bundle config
`/home/testuser` is not writable.
Bundler will use `/tmp/bundler/home/testuser' as your home directory temporarily.
Settings are listed in order of priority. The top value will be used.
silence_root_warning
Set via BUNDLE_SILENCE_ROOT_WARNING: true

app_config
Set via BUNDLE_APP_CONFIG: "/tmp/bundler"

bin
Set via BUNDLE_BIN: "/usr/local/bundle/bin"

path
Set via BUNDLE_PATH: "/usr/local/bundle"

gemfile
Set via BUNDLE_GEMFILE: "/home/testuser/Gemfile"

@colby-swandale
Copy link
Member

Bundler has support for specifying Bundler's home directory with ENV vars now. See #6024 for more information. This can be closed now.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bibendi @colby-swandale @bountytesting123