Hi, > I am running a linux shared hosting environment, and one of my users > would like to make use of an app (Coupra Express) which uses > backgroundrb to process certain tasks. This requires that I run > backgroundrb as a service so that it is always available to the client.
I recently had the same problem: at first I thought of setting iptables rules, but it comes to be a pain, as I needed to set one rule by user running on my environment. An other solution was to patch the kernel with GRSec, but I'm not fond of this solution. So I come with a third solution: patching backgroundrb with a modification of mine (you will find the patch and the revision to which its applied), adding a password support. It's quite a temporary solution, as I haven't figured an other solution. > What I am trying to assess is if there are potential security risks in > running this in a shared hosting environment. I assume that this service > would be available to other users on the same server as well - if so are > there any security issues that I should be aware of there? I read on > http://www.ruby-forum.com/topic/69440 that backgroundrb can be > configured to only accept connections from localhost (I believe this was > the default behaviour)? You can configure backgroundrb to only accept connections from localhost, but I think it won't solve your problem if you have multiples clients running on your host: even if backgroundrb is binded to localhost, other client who have solution on your host can still access other instance of backgroundrb, by tweaking their backgroundrb.yml (which I consider to be a security issue). Regards. -- SECHAUD Gaël ----- How To ----- To add password support, just patch backgroundrb and add the following entry in your backgrounrb config (commonly RAILS_ROOT/config/backgroundrb.yml) :backgroundrb: [..] :password: Your_Password ----- revision info ----- svn info Path: . URL: http://svn.devjavu.com/backgroundrb/trunk Repository Root: http://svn.devjavu.com/backgroundrb Repository UUID: 69d54aea-511f-0410-a924-81c4482807e4 Revision: 331 Node Kind: directory Schedule: normal Last Changed Author: [email protected] Last Changed Rev: 330 Last Changed Date: 2008-10-14 12:51:23 +0200 (Tue, 14 Oct 2008) ----- patch ----- diff -crB backgroundrb/lib/backgroundrb/bdrb_connection.rb backgroundrb-patched/lib/backgroundrb/bdrb_connection.rb *** backgroundrb/lib/backgroundrb/bdrb_connection.rb 2009-05-25 17:18:35.000000000 +0200 --- backgroundrb-patched/lib/backgroundrb/bdrb_connection.rb 2009-05-25 16:48:48.000000000 +0200 *************** *** 8,13 **** --- 8,14 ---- @server_port = port @cluster_conn = cluster_conn @connection_status = true + @password = BDRB_CONFIG[:backgroundrb][:password].nil? ? false : BDRB_CONFIG[:backgroundrb][:password] end *************** *** 66,71 **** --- 67,73 ---- end def dump_object data + data[:password] = @password establish_connection raise BackgrounDRb::BdrbConnError.new("Error while connecting to the backgroundrb server #{server_info}") unless @connection_status diff -crB backgroundrb/server/lib/master_worker.rb backgroundrb-patched/server/lib/master_worker.rb *** backgroundrb/server/lib/master_worker.rb 2009-05-25 17:18:35.000000000 +0200 --- backgroundrb-patched/server/lib/master_worker.rb 2009-05-25 16:50:53.000000000 +0200 *************** *** 25,31 **** end class MasterWorker ! attr_accessor :debug_logger include BackgrounDRb::BdrbServerHelper # receives requests from rails and based on request type invoke appropriate method def receive_data p_data --- 25,31 ---- end class MasterWorker ! attr_accessor :debug_logger,:password include BackgrounDRb::BdrbServerHelper # receives requests from rails and based on request type invoke appropriate method def receive_data p_data *************** *** 33,38 **** --- 33,45 ---- begin t_data = load_data b_data if t_data + # check password + if @password && t_data[:password] != @password + debug_logger.info("Invalid password : #{t_data.inspect}") + error_password(t_data) + return + end + case t_data[:type] # async method invocation when :async_invoke: async_method_invoke(t_data) *************** *** 55,60 **** --- 62,76 ---- end end + # Send password require info to the user + def error_password(t_data) + worker_name_key = gen_worker_key(t_data[:worker],t_data[:worker_key]) + worker_instance = reactor.live_workers[worker_name_key] + info_response = { :error => "Password required / Wrong password" } + worker_instance ? (info_response[:status] = :running) : (info_response[:status] = :stopped) + send_object(info_response) + end + # Send worker info to the user def pass_worker_info(t_data) worker_name_key = gen_worker_key(t_data[:worker],t_data[:worker_key]) *************** *** 163,168 **** --- 179,185 ---- # called whenever a new connection is made.Initializes binary data parser def post_init @tokenizer = Packet::BinParser.new + @password = BDRB_CONFIG[:backgroundrb][:password].nil? ? false : BDRB_CONFIG[:backgroundrb][:password] end def connection_completed; end end _______________________________________________ Backgroundrb-devel mailing list [email protected] http://rubyforge.org/mailman/listinfo/backgroundrb-devel
