Update 2010/10/02: see here for a real-life example.

If you habitually type sudo gem install on your development box, you are potentially exposing yourself to nasty behavior. If you have sudo gem install as part of your automated deploy process, you are begging for something tragic to happen.

Consider:

  1. A gem can execute arbitrary code at install time.1
  2. Anyone with the proper permissions on rubygems.org can publish a new version of a gem at any point. This code is not reviewed or audited by anyone before publication.
  3. gem install pulls in the latest version of any dependencies that it can, for the entire dependency graph.

All it takes is for one malicious or incompetent gem writer to do something wrong, even in a gem you don’t directly depend on, and sudo gem install will destroy your box.

Happily, rubygems work perfectly well in non-root mode. For local development, you can leave out the sudo and gems will be installed in your home directory. For production use, you should be running servers and apps as non-root users anyways.

Please, stop propagating the sudo gem install meme.

1 See http://github.com/wmorgan/killergem.

William Morgan, September 22, 2010.
This article was labeled as

To reply to the article, enter your email address. A copy of the article will be sent to you via email.