Bundle install with cached Ruby version fails , with writable permissions error . #633

vidyasagarnimmagaddi · 2024-08-16T09:39:54Z

vidyasagarnimmagaddi
Aug 16, 2024

Hi team, we do have customer issue .
Error:
The installation path is insecure. Bundler cannot continue."/opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems" is world-writable(without sticky bit).Bundler cannot safely replace gems in world-writeable directories due to potential vulnerabilities.Please change the permissions of this directory or choose a different install path.
Analysis:
This new behaviour seems to be the result of bundler v2.5.12 release, from this PR in particular.

Toolcached Ruby comes with some of the default gems empty. The new behaviour is to re-download them, which causes error because of the rwxrwxrwx rights we have explicitly configured for /opt directory.
We have provided a workaround to customer chmod -R o-w /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems
Now we need to implement this while image generation ,
we use packer user during image generation. Then, later, we create runner user when provision VM with image.

We need your guidance in fixing permissions during the image generation in our Ruby , and what might the implication if we use chmod -R o-w for Ruby folder.`

Run ls -la /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems
total 352
drwxrwxrwx 88 1001 docker 4096 Apr 23 13:05 .
drwxrwxrwx  9 1001 docker 4096 Apr 23 13:05 ..

Files are owned by docker group and runner belongs to docker group.