Sandboxing an application with the java security manager

Hello,

I’m trying to sandbox an application by having the Java security manager
check its permissions, but JRuby seems to bypass those restrictions. For
instance,

jruby -J-Djava.security.manager -e
“puts File.read(’/etc/hosts’).size”

simply succeeds, while

java -Djava.security.manager Main

on a previously compiled Main.java[1] fails as expected with an

Exception in thread “main” java.security.AccessControlException:
access denied (java.io.FilePermission /etc/hosts read)

Can you explain why JRuby doesn’t trip over the security manager?

[1] Main.java
import java.io.*;

public class Main {

public static void main(String[] args) throws Exception {
    char[] cbuf = new char[4*1024];
    System.out.println(new FileReader(new

File("/etc/hosts")).read(cbuf));
}
}

best regards,

Ivo W.

On Sat, Oct 16, 2010 at 11:35 AM, Ivo W. [email protected] wrote:

import java.io.*;

public class Main {

public static void main(String[] args) throws Exception {
char[] cbuf = new char[4*1024];
System.out.println(new FileReader(new
File("/etc/hosts")).read(cbuf));
}
}

It’s probably because of our custom IO layer and the way we deal with
things at the descriptor level, bypassing FileReader/Writer etc. I’d
file a bug, as JRuby should probably heed the Java security manager
behavior.

Thanks,
/Nick

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs