Mod_ruby and postgresql

I did a quick search on the ruby-talk archive, but to no avail, so here’s my
question …

I’m trying to use postgres in some code accessed through mod_ruby. However,
I’m having issues with “safe-ness” :-(. I assume there’s something obvious
I’m missing, but I just can’t see it.

What happens is that when I try to make a connection to my datasource, and
the DBI code tries to “require” the appropriate Ruby database library, it gets
an exception, saying this is an insecure operation.

I had similar problems in other places, and just did an untaint on the
appropriate objects. That’s the kind of hacking I obviously want to minimise
in a web application.

In any case, I can’t work out how to fix this one, since the string in the
require is hard-coded and I definitely don’t want to hack the module.

It seems to me that this must be a common issue, since it would presumably
happen with any library one wished to use in mod_ruby code.

Thanks in advance,

Harry O.

??? I use mod_ruby and ruby-postgres to create database-backed web
pages and I never had any such problem. But I call ruby-postgres
directly without going through DBI. Maybe this is part of the
problem? It might help if you posted details of the code and the
errors. I have been considering migrating to DBI instead of raw
postgres and I would like to know more about any pitfalls.

Regards,

Jeremy Henty

···

In article 200210031922.48955.harryo@zip.com.au, Harry Ohlsen wrote:

What happens is that when I try to make a connection to my
datasource, and the DBI code tries to “require” the appropriate Ruby
database library, it gets an exception, saying this is an insecure
operation.

You need to change your RubySafeLevel in your httpd.conf file. Here’s my
modruby section:

Enable mod_ruby

RubyRequire apache/ruby-run RubyRequire apache/ruby-debug RubyRequire apache/eruby-run RubyRequire apache/eruby-debug RubyRequire auto-reload RubyOutputMode sync RubySafeLevel 0 SetHandler ruby-object RubyHandler Apache::ERubyDebug.instance SetHandler ruby-object RubyHandler Apache::RubyRun.instance
···

Travis Whitton whitton@atlantic.net

In article 200210031922.48955.harryo@zip.com.au, Harry Ohlsen wrote:

I did a quick search on the ruby-talk archive, but to no avail, so here’s my
question …

I’m trying to use postgres in some code accessed through mod_ruby. However,
I’m having issues with “safe-ness” :-(. I assume there’s something obvious
I’m missing, but I just can’t see it.

What happens is that when I try to make a connection to my datasource, and
the DBI code tries to “require” the appropriate Ruby database library, it gets
an exception, saying this is an insecure operation.

I had similar problems in other places, and just did an untaint on the
appropriate objects. That’s the kind of hacking I obviously want to minimise
in a web application.

In any case, I can’t work out how to fix this one, since the string in the
require is hard-coded and I definitely don’t want to hack the module.

It seems to me that this must be a common issue, since it would presumably
happen with any library one wished to use in mod_ruby code.

Thanks in advance,

Harry O.


Bill Gates is a mean and selfish man and Microsoft reflects his inner poverty.

Have you tried modifying RubySafeLevel in your Apache configuration? For
example, if you say

RubySafeLevel 0 # Probably unwise for production, but may be
# a useful test

do the exceptions go away?

···

In article 200210031922.48955.harryo@zip.com.au, Harry Ohlsen wrote:

What happens is that when I try to make a connection to my
datasource, and the DBI code tries to “require” the appropriate Ruby
database library, it gets an exception, saying this is an insecure
operation.


Matt Gushee
Englewood, Colorado, USA
mgushee@havenrock.com

This is a long post, because I want to give enough detail to explain the
things I’ve been trying and the success (or lack thereof) I’ve had.

I would have posted some of the code, except that, as with any real project,
there’s a lot of infrastructure, which would only serve to hide the details.

It would appear that the problem had to do with the fact that I was reading
the URLs for the data sources from an XML file. I added an “untaint” to the
URL, login and password and that got me through.

I can understand why that makes sense, but the specific line where I was
getting the error message was a require based on a hard-coded string (inside
one of the DBI modules), that didn’t make any reference to variables. Hence,
my confusion. I tried the untaints because it seemed logical that they were
probably needed.

This is the first time I’ve used Postgres or mod_ruby in any serious way, so
I’m not really surprised I’m having a few problems. I guess it’s a little
more frustrating simply because my expectations of how easy things should
be have been amplified by writing so much Ruby code in the last few months
:-).

The problem I have now is probably more to do with the database access. Rather
than explaining the difficulties I’m having, maybe it would make more sense
to ask how other people normally set things up when using Postgres (via DBI)
with mod_ruby.

I create the database as myself (harryo), but of course the mod_ruby code is
running as apache. I would have thought that, so long as I connected using
“harryo” as the login and the appropriate password, all would be well.

However, I found that didn’t work. I got an error saying

initialize: FATAL 1: IDENT authentication failed for user “harryo”

This happens if I run equivalent code just from the command line, rather than
via mod_ruby. If I run precisely the same code, logged in as “harryo”, it
works fine.

Obviously, this has something to do with how Postgres does the authentication,
but I would have thought that the login and password would be what defined
whether access was granted, rather than the actual user ID.

If someone can tell me the correct way to set up the database and to access it
topic, so I’m going to try to find a Postgres newsgroup to ask about it.

When I use “apache” as the login (having created that user in Postgres), I can
now make the connection successfully, but there’s still some kind of
authentication issue, because when I try to execute a “select”, I now get an
error saying

"execute": ERROR: test1: permission denied

(test1 is the name of the database table). Again, I can do the same select
from a piece of code external to mod_ruby, logged in as “apache” with no
problems at all.

So, I’m guessing this is actually again something to do with safe levels. I
did originally have an obvious problem, until I added an “untaint” on the
select string.

Harry O.

···

On Fri, 4 Oct 2002 03:46, Jeremy Henty wrote:

??? I use mod_ruby and ruby-postgres to create database-backed web
pages and I never had any such problem. But I call ruby-postgres
directly without going through DBI. Maybe this is part of the
problem? It might help if you posted details of the code and the
errors. I have been considering migrating to DBI instead of raw
postgres and I would like to know more about any pitfalls.

from my mod_ruby code, I’d appreciate it. However, it feels a little off

I did try that early on, but it didn’t fix the particular problem I had at
that stage, so I took it out again I didn’t want to get things working only
to have it all fall in a heap again once I took out the RubySafeLevel
setting.

As you say, I certainly don’t want that in the production code.

Harry O.

···

On Fri, 4 Oct 2002 03:54, Matt Gushee wrote:

Have you tried modifying RubySafeLevel in your Apache configuration? For
example, if you say

RubySafeLevel 0 # Probably unwise for production, but may be
# a useful test

do the exceptions go away?

What happens is that when I try to make a connection to my
datasource, and the DBI code tries to “require” the appropriate Ruby
database library, it gets an exception, saying this is an insecure
operation.

Have you tried modifying RubySafeLevel in your Apache configuration? For
example, if you say

RubySafeLevel 0 # Probably unwise for production, but may be
# a useful test

do the exceptions go away?

DO NOT DO THIS!!! The safety level of mod_ruby is a good thing and
helps keep mod_ruby from getting lime light attention on BugTraq.

The problem isn’t with mod_ruby, it’s with DBI and the string that
you’re using for your DSN.

Bad: dbh = DBI.connect(‘dbi:pg:…’)
Good: dbh = DBI.connect(‘dbi:Pg:…’)

The difference? There was some bogus code that was committed to DBI
once upon a time that lets you be case insensitive when specifying
your DBD driver. The way that it does this is by trying to require
‘pg’ and if it can’t find ‘pg’, then it opens up the directory, reads
the files there, then requires a match. The problem is though that
when reading from the directory under a safe level of 1, the directory
input is tainted. I’ll try and squeeze out a patch to have it
included in the next version of DBI, however, PLEASE, PLEASE, PLEASE
keep the safe level at 1 unless you absolutely know what you’re doing
and then some. -sc

···


Sean Chittenden

Just to save anyone else thinking too hard about my problems, I just thought
I’d let people know that Alan Chen gave me some clues as to how to make the
authentication work the way I expected in postgres.

Now, everything seems to work just fine. I’ve even been able to remove the
untaint from my select statement (and will experiment with removing some
others soon).

My serious thanks go to Alan. This was driving me crazy … and I’m already
crazy enough :-).

Harry O.