World writable executable files (console, setup)

[richardpaulflux]

When doing a recent security review we discovered the bin/console and bin/setup are world writable on a default install. Both on Ubuntu and MacOS.

# MacOS
$ gem install --install-dir ./test/ doorkeeper-jwt:0.4.1
Fetching jwt-2.4.1.gem
Successfully installed jwt-2.4.1
Fetching doorkeeper-jwt-0.4.1.gem
Successfully installed doorkeeper-jwt-0.4.1
Parsing documentation for jwt-2.4.1
Installing ri documentation for jwt-2.4.1
Parsing documentation for doorkeeper-jwt-0.4.1
Installing ri documentation for doorkeeper-jwt-0.4.1
Done installing documentation for jwt, doorkeeper-jwt after 0 seconds
2 gems installed

$ ls -l test/gems/doorkeeper-jwt-0.4.1/bin
total 16
-rwxrwxrwx  1 richard  wheel  372 13 Jun 08:52 console
-rwxrwxrwx  1 richard  wheel  125 13 Jun 08:52 setup

Looking at the source code the files aren't world writable, so I'm guessing it's something to do with the gem packaging. But from hunting around I can't see what's making these files world writable.

# Git checkout
$ ls -l bin
total 16
-rwxr-xr-x  1 richard  staff  372 27 May 10:36 console
-rwxr-xr-x  1 richard  staff  125 27 May 10:36 setup

For what it's worth my umask is the standard on MacOS.

$ umask
022

$ umask -S
u=rwx,g=rx,o=rx