Mod_ruby security

Parragh_Szabolcs · 18 January 2007 15:59

Hi,
I have a quiestion regarding mod_ruby security, hope someone might help me out.

Suppose, I have a local user on my server, who has a chroot jail, scponly web-home folder to upload .rhtml (or .rb) files, that apache executes by mod_ruby. At the default safe level (=1) he can execute code like:

% expr = %{File.read(\"/etc/postfix/main.cf\")}
% result = eval(expr)
% puts result

She can see globally readable files on the server while his code is running in the name of the apache user. The same happens with "RubySafeLevel 2". With 3 or 4, the user cannot access these files, but actually he cannot do anything reasonable at all, so that is not really an option. My question is, can I do something similar to PHP-s safe_mode, where the running _code_ is jailed into its folder somehow? Or any other solution?

Thx in advance!
PSz

p.s: changing acces rights of all files is s.g. I don't want to do (fighting debian file acc.rights policy on hundreds of files) that's why I like scponly/jailroot

···

--
Parragh Szabolcs
e-mail: parragh@dayka.hu
web: parszab.nir.hu

Topic		Replies	Views
Mod_ruby and rubygems ruby-talk	2	66	24 October 2005
Eval and mod_ruby/eRuby ruby-talk	2	116	19 February 2004
Security of ruby-hosted web sites ruby-talk	1	100	15 December 2003
Security within a ruby interpreter ruby-talk	0	113	12 April 2005
Server-side sandbox for running ruby scripts ruby-talk	2	114	17 April 2006

Mod_ruby security

Related topics