Christian
10/7/2007 4:44:00 AM
It seems that using setuid removes '.' from $LOAD_PATH. If you add
$LOAD_PATH.push('.') it should solve the loading issue. As an aside,
you can minimise security issues by having a user other than root own
the ruby executable. Perhaps the same user who owns the code? but this
would probably cause issues with gems and permissions. There lots of
different approaches you could take from there, it all depends on what
you like. One nice feature I've noticed is that -e is not allowed when
running setuid which means a user can't simply do ruby -e 'puts
File.read("test.rb")', Although, there is nothing to stop them putting
that code in a file and running it that way. Covering up that loop
hole I can't help with.
On 10/7/07, |MKSM| <mksm.sama@gmail.com> wrote:
> The setuid idea seems nice to me. Yes, it might uncover some security
> holes, but it still is much better than having the source code
> exposed.
>
> I've used setuid on the ruby executable and chmod 000 a test ruby
> script. The user cannot read the file, but ruby can execute it, just
> great. Problem is that dependencies are broken. It cannot locate
> another script in the same directory. " require 'lib' " fails with a
> file not found error.
>
> Anyways, progress was made. Thanks.
>
> Regards,
>
> Ricardo Amorim
> mapaBRASIL.net
>
> On 10/6/07, Christian <chippersbox@gmail.com> wrote:
> > I should also mention, that using setuid on the ruby executable could
> > open up security issues on the systems where you use this method, and
> > the script would need to be executed explicitly using 'ruby
> > some_script' as the users shell will not have read access to the
> > script to read any #!/usr/bin/ruby lines at the start of the script to
> > find which interpreter to use if executed using ./some_script.
> >
> > On 10/7/07, Christian <chippersbox@gmail.com> wrote:
> > > Interpreted languages and shells (PHP, Python, Ruby, Perl, Bash, ZSH
> > > etc..) all require read access to the script they are running, so they
> > > can actually 'read' the commands they need to interpret. By default,
> > > the ruby interpreter runs with the privileges of the user who executed
> > > it. A possibility, although I have not tried it myself, would be to
> > > setuid the ruby executable so that the interpreter always runs with
> > > permission to read the script, even if the user does not have those
> > > permissions.
> > >
> > > Only complied binary's can have only the executable bit set without
> > > the read bit set, so another option you have, would be to put the ruby
> > > file into a C char* and execute it using something like system("ruby
> > > -e 'ruby_code'"). Of course you'd need to make sure strings are
> > > properly escaped, and this might be too much work if the script is
> > > constantly changing.
> > >
> > > Other than that, I can't think of any other ways around the problem. I
> > > could be wrong though, and if anything I've said above is incorrect
> > > I'm happy to be corrected.
> > >
> > > I hope I've helped you in someway.
> > >
> > > Christian
> > >
> > > On 10/7/07, |MKSM| <mksm.sama@gmail.com> wrote:
> > > > Hello.
> > > >
> > > > I have written an app in Ruby for my company and I was the only one
> > > > that had acess to read/execute it. I've hired someone to help me with
> > > > daily work and that includes having him execute a set of those Ruby
> > > > scripts.
> > > >
> > > > Is it possible to allow him to only execute the code and not give read
> > > > permission? All boxes are running Linux.
> > > >
> > > > Regards,
> > > >
> > > > Ricardo Amorim
> > > > mapaBRASIL.net
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > "Every child has many wishes. Some include a wallet, two chicks and a
> > > cigar, but that's another story."
> > >
> >
> >
> > --
> >
> > "Every child has many wishes. Some include a wallet, two chicks and a
> > cigar, but that's another story."
> >
> >
>
>
--
"Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that's another story."