Ubuntu-24.04 ships Rubygems directories that are world-writable #13647
Description
Description
Image Version 20260201.15.1 of Ubuntu 24.04 and 22.04 (Ver. 20260201.24.1) makes /opt/hostedtoolcache/Ruby/4.0.1/x64/lib/ruby/gems/4.0.0/gems/* to world-writable directories.
drwxrwxrwx+ 86 runner runner 4096 Jan 13 07:07 .
drwxrwxrwx+ 9 runner runner 4096 Jan 13 07:07 ..
drwxrwxrwx+ 4 runner runner 4096 Jan 13 07:07 abbrev-0.1.2
drwxrwxrwx+ 4 runner runner 4096 Jan 13 07:07 base64-0.3.0
drwxrwxrwx+ 4 runner runner 4096 Jan 13 07:07 benchmark-0.5.0
drwxrwxrwx+ 5 runner runner 4096 Jan 13 07:07 bigdecimal-4.0.1
drwxrwxrwx+ 3 runner runner 4096 Jan 13 07:07 bundler-4.0.3
drwxrwxrwx+ 4 runner runner 4096 Jan 13 07:07 csv-3.3.5
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 date-3.5.1
drwxrwxrwx+ 6 runner runner 4096 Jan 13 07:07 debug-1.11.1
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 delegate-0.6.1
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 did_you_mean-2.0.0
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 digest-3.2.1
drwxrwxrwx+ 3 runner runner 4096 Jan 13 07:07 drb-2.2.3
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 english-0.8.1
drwxrwxrwx+ 3 runner runner 4096 Jan 13 07:07 erb-6.0.1
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 error_highlight-0.7.1
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 etc-1.4.6
drwxrwxrwx+ 2 runner runner 4096 Jan 13 07:07 fcntl-1.3.0
It leads the significant CI issues in Ruby Ecosystem like:
/opt/hostedtoolcache/Ruby/4.0.1/x64/lib/ruby/gems/4.0.0/gems/erb-6.0.1 is
world-writable and does not have the sticky bit set, making it insecure to
remove due to potential vulnerabilities.
- https://github.com/ruby/uri/actions/runs/21808232360/job/62915249798?pr=206
- https://github.com/ruby/mutex_m/actions/runs/21816659061/job/62939680966?pr=40
- https://github.com/ruby/mathn/actions/runs/21839232422/job/63018726635?pr=47
- https://github.com/ruby/reline/actions/runs/21845331655/job/63039751332?pr=884
- https://github.com/ruby/bigdecimal/actions/runs/21827464674/job/62976117279?pr=487
- https://github.com/ruby/io-console/actions/runs/21823405869/job/62962230048?pr=115
...
The same directory of macOS runner is not world-writable.
/Users/runner/hostedtoolcache/Ruby/4.0.1/arm64/lib/ruby/gems/4.0.0/gems
drwxr-xr-x 86 runner staff 2752 Jan 13 07:06 .
drwxr-xr-x 9 runner staff 288 Jan 13 07:06 ..
drwxr-xr-x 8 runner staff 256 Jan 13 07:06 abbrev-0.1.2
drwxr-xr-x 8 runner staff 256 Jan 13 07:06 base64-0.3.0
drwxr-xr-x 9 runner staff 288 Jan 13 07:06 benchmark-0.5.0
drwxr-xr-x 8 runner staff 256 Jan 13 07:06 bigdecimal-4.0.1
drwxr-xr-x 3 runner staff 96 Jan 13 07:06 bundler-4.0.3
drwxr-xr-x 7 runner staff 224 Jan 13 07:06 csv-3.3.5
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 date-3.5.1
drwxr-xr-x 13 runner staff 416 Jan 13 07:06 debug-1.11.1
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 delegate-0.6.1
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 did_you_mean-2.0.0
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 digest-3.2.1
drwxr-xr-x 5 runner staff 160 Jan 13 07:06 drb-2.2.3
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 english-0.8.1
drwxr-xr-x 3 runner staff 96 Jan 13 07:06 erb-6.0.1
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 error_highlight-0.7.1
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 etc-1.4.6
drwxr-xr-x 2 runner staff 64 Jan 13 07:06 fcntl-1.3.0
I'm a member of Ruby core and RubyGems team. We track this issue the followings:
- Bundler cannot reinstall [gem] because there's a previous installation of it at ... that is unsafe to remove ruby/rubygems#9284
- Remove workaround for broken pre-installed Ruby 4.0.1 on ubuntu-latest runner Shopify/ruby-lsp#3942
Please share me if you need my additional support.
Platforms affected
- Azure DevOps
- GitHub Actions - Standard Runners
- GitHub Actions - Larger Runners
Runner images affected
- Ubuntu 22.04
- Ubuntu 24.04
- Ubuntu Slim
- macOS 14
- macOS 14 Arm64
- macOS 15
- macOS 15 Arm64
- macOS 26
- macOS 26 Arm64
- Windows Server 2022
- Windows Server 2025
- Windows Server 2025 with Visual Studio 2026
Image version and build link
- 20260201.15.1 of Ubuntu 24.04
- 20260201.24.1 of Ubuntu 22.04
Is it regression?
Yes
Expected behavior
Add sticky bit or remove +w permissions from group and others.
Actual behavior
Only provide 777 permission directories.
Repro steps
There is no specific steps. It's issue of runner images.