rbenv system wide install results in insecure operation

Question

We use thin clients at our company and we have many users using the same box. I've installed rbenv as a system install by following the instructions on the following website;

https://blakewilliams.me/posts/system-wide-rbenv-install

This boils down to these commands

cd /usr/local
git clone git://github.com/sstephenson/rbenv.git rbenv
chgrp -R staff rbenv
chmod -R g+rwxXs rbenv

By running the last line there we should be able to install gems as any user of the system which is part of the 'staff' group. We have two developers which are part of that group and neither can install gems.

We get the error;

~ % gem install cheat         
/usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:332:in `exist?': Insecure operation - exist? (SecurityError)
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:332:in `load_file'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/config_file.rb:198:in `initialize'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:75:in `new'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:75:in `do_configuration'
    from /usr/local/rbenv/versions/2.3.5/lib/ruby/2.3.0/rubygems/gem_runner.rb:40:in `run'
    from /usr/local/rbenv/versions/2.3.5/bin/gem:21:in `<main>'
~ % gem install cheat

If I remove the sticky bit from the group then they can add gems but if someone tries to remove a gem installed by someone else this will fail;

~ % chmod -R g-s rbenv

How do I allow multiple users install/uninstall gems from a system wide installation of rbenv?

Update

Here is an example of installations in the /usr/local/rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems directory, as you can see

drwxrwxr-x   5 map7  map7  4.0K Jun  4 15:50 unicode-display_width-1.3.3
drwxrwxr-x   5 andre andre 4.0K May 23 13:22 vcr-3.0.3
drwxrwxr-x   3 map7  staff 4.0K Apr 30 11:01 web-console-3.6.2

The solution to this I found as

  : cd /usr/local/rbenv/versions/2.5.1/lib/ruby/gems/2.5.0
  : sudo chown -R map7:staff gems
  : sudo chmod -R 775 gems
  : sudo chmod g+s gems

Answer 1

I took a look at the source code for RubyGems config_file. The error you're encountering is caused by this file operation trying to read $HOME/.gem/credentials (which is hard-coded here).

Based on this, you could try giving rbenv permission to read $HOME/.gem/credentials for one user and see if that allows the user to install a gem.

However, exposing anything called "credentials" to all users seems like a dangerous proposition.

My understanding is that the credentials file only needs to contain real credentials if you're trying to publish gems, but can be empty for most installs. As this is a shared machine, you're already expecting people to trample on each other's gems occasionally, so giving rbenv access to all gem credentials may be acceptable for you...

Until it's not. You mentioned that you "don't want to keep two copies on the same machine" but this is more difficult than it seems. Every programming language has a slightly different tool for avoiding Dependency Hell, but many stick to one pattern: every code project gets its copy of all its dependencies. On my machine I have at least five copies of Rails installed by Bundler, across two or three versions. I don't worry about the disk space, I'm just happy I don't have to sort through a thousand dependencies by hand.