Check or add a system wide gemrc file at every rubygems load

.. to prevent hijacking by another user.
oneclick · Dec 19, 2022 · f558a38 · f558a38
1 parent d7bcb82
commit f558a38
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/resources/files/operating_system.rb b/resources/files/operating_system.rb
@@ -19,3 +19,23 @@
     end
   end
 end
+
+begin
+  config_fname = Gem::ConfigFile::SYSTEM_WIDE_CONFIG_FILE
+  unless File.exist?(config_fname)
+    File.open(config_fname, File::CREAT | File::EXCL | File::WRONLY) do |fd|
+      fd.write <<-EOT
+# This is the system wide config file for Rubygems.
+# It is generated by RubyInstaller as a security measure.
+# Feel free to add any rubygems config options as described on:
+#    https://docs.ruby-lang.org/en/3.1/Gem/ConfigFile.html
+# But do not delete this file as otherwise it could be hijacked by
+# another user in a multi-user environment.
+---
+{}
+      EOT
+    end
+  end
+rescue => err
+  warn "Warning: Failed to create a system wide 'gemrc' file, making Rubygems possibly insecure: #{err}"
+end