Hello.
I have written an app in Ruby for my company and I was the only one
that had acess to read/execute it. I’ve hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.
Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.
Regards,
Ricardo Amorim
mapaBRASIL.net
Interpreted languages and shells (PHP, Python, Ruby, Perl, Bash, ZSH
etc…) all require read access to the script they are running, so they
can actually ‘read’ the commands they need to interpret. By default,
the ruby interpreter runs with the privileges of the user who executed
it. A possibility, although I have not tried it myself, would be to
setuid the ruby executable so that the interpreter always runs with
permission to read the script, even if the user does not have those
permissions.
Only complied binary’s can have only the executable bit set without
the read bit set, so another option you have, would be to put the ruby
file into a C char* and execute it using something like system(“ruby
-e ‘ruby_code’”). Of course you’d need to make sure strings are
properly escaped, and this might be too much work if the script is
constantly changing.
Other than that, I can’t think of any other ways around the problem. I
could be wrong though, and if anything I’ve said above is incorrect
I’m happy to be corrected.
I hope I’ve helped you in someway.
Christian
On 10/7/07, |MKSM| [email protected] wrote:
Regards,
Ricardo Amorim
mapaBRASIL.net
–
“Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that’s another story.”
I should also mention, that using setuid on the ruby executable could
open up security issues on the systems where you use this method, and
the script would need to be executed explicitly using ‘ruby
some_script’ as the users shell will not have read access to the
script to read any #!/usr/bin/ruby lines at the start of the script to
find which interpreter to use if executed using ./some_script.
On 10/7/07, Christian [email protected] wrote:
the read bit set, so another option you have, would be to put the ruby
Is it possible to allow him to only execute the code and not give read
–
“Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that’s another story.”
–
“Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that’s another story.”
The setuid idea seems nice to me. Yes, it might uncover some security
holes, but it still is much better than having the source code
exposed.
I’ve used setuid on the ruby executable and chmod 000 a test ruby
script. The user cannot read the file, but ruby can execute it, just
great. Problem is that dependencies are broken. It cannot locate
another script in the same directory. " require ‘lib’ " fails with a
file not found error.
Anyways, progress was made. Thanks.
Regards,
Ricardo Amorim
mapaBRASIL.net
On Oct 6, 9:29 pm, |MKSM| [email protected] wrote:
Regards,
Ricardo Amorim
mapaBRASIL.net
I guess that’s not really a Ruby question, but I have an idea…
Sudo may be the best answer. Allow the user to sudo the Ruby app as
another user with read access to the script. You’ll want to read the
sudoers man page as you’ll need the no authentication option and other
tidbits. Then you can wrap up the sudo command (something like sudo -u
reading_user /path/to/app) with an alias or shell script that your
underling can call. There are still security concerns, but you have
more control than with the setuid option, I think.
Jeremy
It seems that using setuid removes ‘.’ from $LOAD_PATH. If you add
$LOAD_PATH.push(‘.’) it should solve the loading issue. As an aside,
you can minimise security issues by having a user other than root own
the ruby executable. Perhaps the same user who owns the code? but this
would probably cause issues with gems and permissions. There lots of
different approaches you could take from there, it all depends on what
you like. One nice feature I’ve noticed is that -e is not allowed when
running setuid which means a user can’t simply do ruby -e ‘puts
File.read(“test.rb”)’, Although, there is nothing to stop them putting
that code in a file and running it that way. Covering up that loop
hole I can’t help with.
On 10/7/07, |MKSM| [email protected] wrote:
Anyways, progress was made. Thanks.
some_script’ as the users shell will not have read access to the
permission to read the script, even if the user does not have those
could be wrong though, and if anything I’ve said above is incorrectthat had acess to read/execute it. I’ve hired someone to help me with
–
“Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that’s another story.”
–
“Every child has many wishes. Some include a wallet, two chicks and a
cigar, but that’s another story.”
If you can’t trust your worker, who can you trust?
If you can’t trust them, don’t give them the job.
you could write a tool in C to act as an intermediary.
Have it take whatever args you give to the Ruby script.
But allow the C tool to run under a uid used by the system, but allow
the user execute priveledges on the C tool.
The C tool then runs the Ruby script owned by the other uid and
passes the args to it, returning to the user any important results.
It’s convoluted but any solution is going to be, other than hiring
somebody you trust.
Hi,.
On Sun, 2007-10-07 at 11:29 +0900, |MKSM| wrote:
Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.
Start of September we had a thread like this:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/267065
I have a feeling there were more inbetween. Have a look to see what we
discussed earlier.
Cheers
Arlen
On Sun, 7 Oct 2007 14:22:06 +0900, John J. wrote:
If you can’t trust your worker, who can you trust?
If you can’t trust them, don’t give them the job.
Yes, and going round the houses to hide the source doesn’t exactly
promote good harmony among the workforce either (it shrieks “I don’t
trust you!”). Just make sure the employment contract is solid.
–
Chris G.
“A witty saying proves nothing.” – Voltaire
|MKSM| wrote:
Hello.
I have written an app in Ruby for my company and I was the only one
that had acess to read/execute it. I’ve hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.
If you don’t want the source code to be visible you might consider a
couple levels of encryption and, maybe, hosting the actual “exe” on a
site that you control and have a loader exe grab it when it is needed.
For example, for Ruby program X, you could encrypt X with a key(also on
another server if you wish) and then make a loader that would decrypt it
on the fly and interpret the resulting code. You could add checksums,
etc. for the loader if you’re worried about someone hacking it so they
can then view the code.
Depending on what you’re doing with it, it could make more sense to have
a web interface to it and then you would only have to put it on a server
of your choosing and let them call it that way.
On 10/7/07, Christian [email protected] wrote:
hole I can’t help with.
As soon as you push ‘.’ it’s game over.
foo.rb:
__SCRIPT_LINES = {}
at_exit { p __SCRIPT_LINES }
ruby -rfoo the_script_that_needs_to_be_invisible.rb
I have written an app in Ruby for my company and I was the only one
that had acess to read/execute it. I’ve hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.
i may have overlooked something but what is wrong with using chmod?
-rwx–x— 1 mksm youandfriendgroup 7264 2006-12-07 13:42
rubyscript.rb
in the example above only you have all Read-Write-eXecute permissions,
and you’re friend only has eXecute permissions.
On Oct 9, 2007, at 8:35 AM, Logan C. wrote:
–
Posted via http://www.ruby-forum.com/.Ruby scripts are not ELF/Mach-O/PE/“whatever your system uses”
binaries. Your friend needs to be able to read the script to execute
it.
Well, the permissions settings need to include the UID of the process
that tries to use the script.
It is possible to make it a system level UID where users can run it
indirectly, but not open and read the file. But any admin can change
that, and a good admin would probably be very suspicious of it.
On 10/9/07, Logan C. [email protected] wrote:
Ruby scripts are not ELF/Mach-O/PE/“whatever your system uses”
binaries. Your friend needs to be able to read the script to execute
it.
Haven’t tried this myself, but rubyscript2exe might work with chmod -r
martin
On 10/9/07, Shai R. [email protected] wrote:
Linux Chmod Command Help and Examples
-rwx–x— 1 mksm youandfriendgroup 7264 2006-12-07 13:42
rubyscript.rbin the example above only you have all Read-Write-eXecute permissions,
and you’re friend only has eXecute permissions.Posted via http://www.ruby-forum.com/.
Ruby scripts are not ELF/Mach-O/PE/“whatever your system uses”
binaries. Your friend needs to be able to read the script to execute
it.
Martin DeMello wrote:
On 10/9/07, Logan C. [email protected] wrote:
Ruby scripts are not ELF/Mach-O/PE/“whatever your system uses”
binaries. Your friend needs to be able to read the script to execute
it.Haven’t tried this myself, but rubyscript2exe might work with chmod -r
rubyscript2exe unpacks to a tmp dir, and then loads the files more or
less normally, doesn’t it?
the best way will be to implement on ruby an encryption method. that
will
take a key stored on a secure place and use it to decode encrypted files
on
the flyIt might create some overload but it will be an interesting
project
to code. and I guess a lot of people hosting rails apps might be really
interested on this also.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs