Hi, I am wondering what the security implications of having a LOAD_PATH that includes '.' is.
Debian includes software that is written in ruby, and is executed with root privilege, such as apt-listbugs. LOAD_PATH is the list of path that ruby library (MODULE.rb, MODULE.so) is searched against. The load_path will only fallback to '.' when it cannot find the required module in other paths, which should normally not be the case, but I'm feeling a bit uneasy about that. A theoretical attach scenario is putting a module under /tmp, and wait until a user executes a ruby script that require's that module with CWD=/tmp, which also happens not to exist in the other directories listed in LOAD_PATH. Example of LOAD_PATH (on my amd64 machine) $ ruby -e '$:.each{|l| print l+"\n"}' /usr/local/lib/site_ruby/1.8 /usr/local/lib/site_ruby/1.8/x86_64-linux /usr/local/lib/site_ruby /usr/lib/ruby/1.8 /usr/lib/ruby/1.8/x86_64-linux . regards, junichi -- [EMAIL PROTECTED],netfort.gr.jp} Debian Project -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]