Update 2010/10/02: see here for a real-life example.
If you habitually type
sudo gem install on your development box, you are potentially exposing yourself to nasty behavior. If you have
sudo gem install as part of your automated deploy process, you are begging for something tragic to happen.
- A gem can execute arbitrary code at install time.1
- Anyone with the proper permissions on rubygems.org can publish a new version of a gem at any point. This code is not reviewed or audited by anyone before publication.
gem installpulls in the latest version of any dependencies that it can, for the entire dependency graph.
All it takes is for one malicious or incompetent gem writer to do something wrong, even in a gem you don’t directly depend on, and
sudo gem install will destroy your box.
Happily, rubygems work perfectly well in non-root mode. For local development, you can leave out the
sudo and gems will be installed in your home directory. For production use, you should be running servers and apps as non-root users anyways.
Please, stop propagating the
sudo gem install meme.
1 See http://github.com/wmorgan/killergem.