How do Least Privilege Security Practices?

Wondering how the practice of running code under the philosophy of
least privilege works inside Rails – or perhaps its a Ruby question.
(New to both).

I’m used to a language called Lasso which has a security layer between
the source code and the interpreter (or between the interpreter and the
runtime engine or wherever). This layer allows me to create containers
in which code executes with very specific access rights to resources
like files, and databases (including filtering access to tables and
specific fields), and even controls access to features of the language
itself which allows me to deny access to network classes, or reflection
commands, etc on a per-container basis.

While this can be used to jail individual code contributors to specific
capabilities and assetts, I also find it useful for implementing Least
Privilege.

If I have a routine that needs to read config files, I can create a
“user” named configLoader which allows access to a specific path, and
has read-only permissions for that path. I then wrap the code in
container identified as that user. Now, if that code were ever hijacked
in some never-before-known attack vector, it is useless with respect to
file system access except for reading that path.

For databases, I can move what I would define in Lasso Admin to the
database’s own access management system by defining multiple users
into those allowed to read only, access only specific tables, etc.

However, for file access, and even certain language feature
restrictions, I don’t see how that can be done in Ruby or in Rails.

Let’s stick with files. How in Rails would I create a piece of file-
reading
code in a method with explicit restrictions to have access to path X
only and only for reading purposes. IOW, even if I wrote file reading
commands within the boundaries of this code to get another path or
to write to a file, it would fail to work.

Does explanation make sense?

– gw

Hi Greg

You may want to look at Tim H.'s role_requirement plugin or
perhaps even goldberg…

CCH wrote:

Hi Greg

You may want to look at Tim H.'s role_requirement plugin or
perhaps even goldberg…

Hmm, this isn’t about limiting “users” as in the human kind with
app-layer code – it’s about limiting source code with specific
restrictions at the language/OS level. I’ve just never tried to do that
with a language like Ruby (python etc), so wondering how it is done.

I can explain further with an example if that’s needed to clarify.

– gw

Frederick C. wrote:

On 18 Oct 2007, at 17:14, Greg W. wrote:

that
with a language like Ruby (python etc), so wondering how it is done.

I can explain further with an example if that’s needed to clarify.

do ruby’s taint levels or why’s freaky sandbox give you some of what
you want ?

Taints looks to have some useful capabilities, but it’s a different view
of the subject than I’m looking for. I’d prefer to be able to specify
exactly which paths and operations can be used rather than having some
generic levels like that. Still, it’ll likely be useful for certain
operations for sure.

freaky sandbox looks interesting, but can’t infer it’s full capabilities
from the limited info in the wiki (I’ll probably get it more as I
understand Ruby’s environment better). I’ll poke around that one and see
what it yields.

Thanks.

– gw

On 18 Oct 2007, at 17:14, Greg W. wrote:

that
with a language like Ruby (python etc), so wondering how it is done.

I can explain further with an example if that’s needed to clarify.

do ruby’s taint levels or why’s freaky sandbox give you some of what
you want ?

Fred