Wondering how the practice of running code under the philosophy of least privilege works inside Rails -- or perhaps its a Ruby question. (New to both). I''m used to a language called Lasso which has a security layer between the source code and the interpreter (or between the interpreter and the runtime engine or wherever). This layer allows me to create containers in which code executes with very specific access rights to resources like files, and databases (including filtering access to tables and specific fields), and even controls access to features of the language itself which allows me to deny access to network classes, or reflection commands, etc on a per-container basis. While this can be used to jail individual code contributors to specific capabilities and assetts, I also find it useful for implementing Least Privilege. If I have a routine that needs to read config files, I can create a "user" named configLoader which allows access to a specific path, and has read-only permissions for that path. I then wrap the code in container identified as that user. Now, if that code were ever hijacked in some never-before-known attack vector, it is useless with respect to file system access except for reading that path. For databases, I can move what I would define in Lasso Admin to the database''s own access management system by defining multiple users into those allowed to read only, access only specific tables, etc. However, for file access, and even certain language feature restrictions, I don''t see how that can be done in Ruby or in Rails. Let''s stick with files. How in Rails would I create a piece of file- reading code in a method with explicit restrictions to have access to path X only and only for reading purposes. IOW, even if I wrote file reading commands within the boundaries of this code to get another path or to write to a file, it would fail to work. Does explanation make sense? -- gw --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi Greg You may want to look at Tim Harper''s role_requirement plugin or perhaps even goldberg... On Oct 18, 10:54 pm, Greg Willits <li...-0Bv1hcaDFPRk211Z5VL+QA@public.gmane.org> wrote:> Wondering how the practice of running code under the philosophy of > least privilege works inside Rails -- or perhaps its a Ruby question. > (New to both). > > I''m used to a language called Lasso which has a security layer between > the source code and the interpreter (or between the interpreter and the > runtime engine or wherever). This layer allows me to create containers > in which code executes with very specific access rights to resources > like files, and databases (including filtering access to tables and > specific fields), and even controls access to features of the language > itself which allows me to deny access to network classes, or reflection > commands, etc on a per-container basis. > > While this can be used to jail individual code contributors to specific > capabilities and assetts, I also find it useful for implementing Least > Privilege. > > If I have a routine that needs to read config files, I can create a > "user" named configLoader which allows access to a specific path, and > has read-only permissions for that path. I then wrap the code in > container identified as that user. Now, if that code were ever hijacked > in some never-before-known attack vector, it is useless with respect to > file system access except for reading that path. > > For databases, I can move what I would define in Lasso Admin to the > database''s own access management system by defining multiple users > into those allowed to read only, access only specific tables, etc. > > However, for file access, and even certain language feature > restrictions, I don''t see how that can be done in Ruby or in Rails. > > Let''s stick with files. How in Rails would I create a piece of file- > reading > code in a method with explicit restrictions to have access to path X > only and only for reading purposes. IOW, even if I wrote file reading > commands within the boundaries of this code to get another path or > to write to a file, it would fail to work. > > Does explanation make sense? > > -- gw--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
CCH wrote:> Hi Greg > > You may want to look at Tim Harper''s role_requirement plugin or > perhaps even goldberg...Hmm, this isn''t about limiting "users" as in the human kind with app-layer code -- it''s about limiting source code with specific restrictions at the language/OS level. I''ve just never tried to do that with a language like Ruby (python etc), so wondering how it is done. I can explain further with an example if that''s needed to clarify. -- gw -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 18 Oct 2007, at 17:14, Greg Willits wrote:> > CCH wrote: >> Hi Greg >> >> You may want to look at Tim Harper''s role_requirement plugin or >> perhaps even goldberg... > > Hmm, this isn''t about limiting "users" as in the human kind with > app-layer code -- it''s about limiting source code with specific > restrictions at the language/OS level. I''ve just never tried to do > that > with a language like Ruby (python etc), so wondering how it is done. > > I can explain further with an example if that''s needed to clarify. >do ruby''s taint levels or why''s freaky sandbox give you some of what you want ? Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:> On 18 Oct 2007, at 17:14, Greg Willits wrote: > >> that >> with a language like Ruby (python etc), so wondering how it is done. >> >> I can explain further with an example if that''s needed to clarify. >> > do ruby''s taint levels or why''s freaky sandbox give you some of what > you want ?Taints looks to have some useful capabilities, but it''s a different view of the subject than I''m looking for. I''d prefer to be able to specify exactly which paths and operations can be used rather than having some generic levels like that. Still, it''ll likely be useful for certain operations for sure. freaky sandbox looks interesting, but can''t infer it''s full capabilities from the limited info in the wiki (I''ll probably get it more as I understand Ruby''s environment better). I''ll poke around that one and see what it yields. Thanks. -- gw -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---