Wondering how the practice of running code under the philosophy of
least privilege works inside Rails – or perhaps its a Ruby question.
(New to both).
I’m used to a language called Lasso which has a security layer between
the source code and the interpreter (or between the interpreter and the
runtime engine or wherever). This layer allows me to create containers
in which code executes with very specific access rights to resources
like files, and databases (including filtering access to tables and
specific fields), and even controls access to features of the language
itself which allows me to deny access to network classes, or reflection
commands, etc on a per-container basis.
While this can be used to jail individual code contributors to specific
capabilities and assetts, I also find it useful for implementing Least
Privilege.
If I have a routine that needs to read config files, I can create a
“user” named configLoader which allows access to a specific path, and
has read-only permissions for that path. I then wrap the code in
container identified as that user. Now, if that code were ever hijacked
in some never-before-known attack vector, it is useless with respect to
file system access except for reading that path.
For databases, I can move what I would define in Lasso Admin to the
database’s own access management system by defining multiple users
into those allowed to read only, access only specific tables, etc.
However, for file access, and even certain language feature
restrictions, I don’t see how that can be done in Ruby or in Rails.
Let’s stick with files. How in Rails would I create a piece of file-
reading
code in a method with explicit restrictions to have access to path X
only and only for reading purposes. IOW, even if I wrote file reading
commands within the boundaries of this code to get another path or
to write to a file, it would fail to work.
Does explanation make sense?
– gw