Security within a ruby interpreter
Dominik Werder
I'd like to write a lib which objects can only be used if the caller
has authenticated using username and password for example, sth like
that:
a = MyObject.new 'username', 'password' # returns instance is pass is
correct
a.doSpecialThings
I can assure that the source files can't be changed by setting file
permissions properly.
But how can I be sure that nobody can alter the class at runtime?
Is it sufficient to load potentially dangerous code with load('file',
true) ?
How can I prevent an attacker from reading the source where the
credentials must be stored somewhere? If ruby can read the source,
File.open can too, doesn't it?
Maybe it's not a good idea at all...
thank you for thinking about this :-)
Dominik
Tony Targonski
From: Dominik Werder [mailto:dwe...@gmx.net]
Sent: Tuesday, April 12, 2005 4:50 PM
To: ruby-talk ML
Subject: Security within a ruby interpreter
But how can I be sure that nobody can alter the class at runtime?
Dominik
---------------------------
By using Ruby's safe levels.
$SAFE = 4
Will set the paranoia level to its highest ;) Ruby documentation says
the following:
">= 4 Ruby effectively partitions the running program in two. Nontainted
objects may not be modified. Typically, this will be used to create a
sandbox: the program sets up an environment using a lower $SAFE level,
then resets $SAFE to 4 to prevent subsequent changes to that
environment."
--Tony