[cvsspam-devel] Ruby with CVS and Ext/Ssh protocol and
worldwritable /tmp dir
David Holroyd
dave at badgers-in-foil.co.uk
Wed Nov 29 21:53:16 UTC 2006
On Wed, Nov 29, 2006 at 02:45:20PM -0700, McCullough, Ryan wrote:
> I believe it is in the path for my account, but cvs spam runs under the cvs
> account. Why would it only do this with SSH/EXT Protocol though?
What credentials do you use with SSH/EXT?
If you use the CVS user's credentials, then I dunno what's up with that.
If you use your personal credentials (and unless you've got CVS set up
setuid/setgid to the cvs user), then in all likelehood you are actually
executing the CVS server as yourself, rather than the cvs user.
You could test that idea by enabling the CVSspam --debug flag and
inspecting the files/folders that will then get left in /tmp. If they
are owned by you, then you've found the problem :)
> -----Original Message-----
> From: David Holroyd [mailto:dave at badgers-in-foil.co.uk]
> Sent: Wednesday, November 29, 2006 2:31 PM
> To: McCullough, Ryan
> Cc: cvsspam-devel at lists.badgers-in-foil.co.uk
> Subject: Re: [cvsspam-devel] Ruby with CVS and Ext/Ssh protocol and
> worldwritable /tmp dir
>
> On Tue, Nov 28, 2006 at 05:41:33PM -0700, McCullough, Ryan wrote:
> > T rmccullough at bighorn:/{7}>ruby --version ruby 1.8.3 (2005-09-21)
> > [i686-linux]
> >
> > I don't remember if it fails or succeeds. I think it sends an email
> > for each individual file in the check-in.
>
> I think that the warnings are benign (though annoying). Their appearence
> should not effect the operation of CVSspam.
>
> Googling for that message, I've seen suggestions that the warning may not be
> produced in later releases of Ruby (the discussions are from around
> September 2006, so I don't know if a Ruby release with this fix is available
> yet).
>
> It may be possible to silence the warning with your current Ruby install by
> doing some shell-scripting to remove '.' from the path just before the
> hook-script is invoked. I'm not too sure though. Maybe something like,
>
> ^ PATH=/bin:/usr/bin /path/to/cvsspam.rb ...
>
> ??
>
> I know that on most systems I use, '.' isn't in the path though, and if your
> system is the same, the above would make no difference :(
>
>
> > > In S:\sqabas32_ie7: "C:\Program Files\TortoiseCVS\cvs.exe" -q commit
> > > -m "fix failing commit through ssh" TestAstrobot.rec
> > > CVSROOT=:ext:********@********:/home/cvs
> > >
> > > Checking in TestAstrobot.rec;
> > > /home/cvs/repo/rational/robot/sqabas32/TestAstrobot.rec,v <--
> > > TestAstrobot.rec new revision: 1.1.2.5; previous revision: 1.1.2.4
> > > done
> > > /usr/local/lib/cvsspam/collect_diffs.rb:65: warning: Insecure world
> > > writable dir /tmp, mode 040777
> > > /usr/local/lib/cvsspam/collect_diffs.rb:65: warning: Insecure world
> > > writable dir /tmp, mode 040777
> > > /usr/local/lib/cvsspam/collect_diffs.rb:314: warning: Insecure world
> > > writable dir /tmp, mode 040777
> > > /usr/local/lib/cvsspam/cvsspam.rb:1820: warning: Insecure world
> > > writable dir /tmp, mode 040777
> > >
> > > Success, CVS operation completed
ta,
dave
More information about the cvsspam-devel
mailing list