794493 – dev-ruby/bundler: disable build-in sudo function

Bug 794493 - dev-ruby/bundler: disable build-in sudo function

Summary: dev-ruby/bundler: disable build-in sudo function

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Ruby Team

URL:	https://github.com/rubygems/rubygems/...
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2021-06-06 00:31 UTC by Anton Bolshakov
Modified:	2021-06-06 11:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
nosudo patch (nosudo.patch,362 bytes, patch) 2021-06-06 00:31 UTC, Anton Bolshakov	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anton Bolshakov 2021-06-06 00:31:34 UTC

Created attachment 713847 [details, diff]
nosudo patch

Hello,

Gentoo wants to control all installed packages unconditionally.

bundler has a default build-in function to run sudo "if possible", i.e if a current user has NOPASSWD sudo option. For such users, bunlder will escalate it is privilege from a regular user quietly and install (overwrite) any files installed by portage earlier (/usr/bin, /usr/lib{32/64}/ruby locations. That is an unexpected and almost malicious because it will not even try to ask for password if NOPASSWD option is not configured and will install all packages to a local folder.

There is no option to disable it by default during installation and the upstream seems agreed that it should be removed, see:
https://github.com/rubygems/rubygems/issues/4031

I suggest disabling it in Gentoo earlier with a little provided patch.