Bundle install with cached Ruby version fails , with writable permissions error

[vidyasagarnimmagaddi]

Hi team, we do have customer issue .
Error:
The installation path is insecure. Bundler cannot continue."/opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems" is world-writable(without sticky bit).Bundler cannot safely replace gems in world-writeable directories due to potential vulnerabilities.Please change the permissions of this directory or choose a different install path.
Analysis:
This new behaviour seems to be the result of bundler v2.5.12 release, from #7673 in particular.

Toolcached Ruby comes with some of the default gems empty. The new behaviour is to re-download them, which causes error because of the rwxrwxrwx rights we have explicitly configured for /opt directory.
We have provided a workaround to customer chmod -R o-w /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems
Now we need to implement this while image generation ,
we use packer user during image generation. Then, later, we create runner user when provision VM with image.
We need your guidance in fixing permissions during the image generation in our Ruby , and what might the implication if we use chmod -R o-w for Ruby folder.`

Run ls -la /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems
total 352
drwxrwxrwx 88 1001 docker 4096 Apr 23 13:05 .
drwxrwxrwx 9 1001 docker 4096 Apr 23 13:05 ..

Files are owned by docker group and runner belongs to docker group.

[deivid-rodriguez]

Why toolcached Ruby comes with some default gems empty? Maybe it'd be better to make it a more standard Ruby and provide all default gems that upstream Ruby provides?

[deivid-rodriguez]

This is being discussed at #7983.

[deivid-rodriguez]

By the way, you were right about #7673 causing the errors, and I now understood what you meant by "default gems empty". #7985 should fix this problem!

[vidyasagarnimmagaddi]

By the way, you were right about #7673 causing the errors, and I now understood what you meant by "default gems empty". #7985 should fix this problem!

Hi @deivid-rodriguez , when this 7985 will be fixed.

[deivid-rodriguez]

Do you mean when it will be released? Next week, most likely.