On Mon, Aug 24 2009, andrew mcelroy wrote:
> On Sun, Aug 23, 2009 at 11:28 PM, Manoj Srivastava <sriva...@debian.org>wrote:
>
>>
>> On Sun, Aug 23 2009, andrew mcelroy wrote:
>>
>> > I have been working on taking over _why's Try Ruby program.
>> > Essentially, it is a webpage that employs ajax to talk to a ruby
>> interpretor
>> > on a server to give you an interactive shell.
>> > This interactive shell would come with lessons that would teach basic
>> ruby
>> > scripting.
>>
>> > The trouble I am running into is deciding how to best secure this
>> program.
>> > I noticed that it allows for the use of the system method; and yes I have
>> > been able to read /etc/passwd.
>>
>> The obvious solution appears to be mandatory, role based access
>> controls, SELinux would do everything you want. chroots are not really
>> meant for security; and virtual machines are overkill.
> I am pretty paranoid, so selinux inside a vm might be the way to go.
Unless your host is also protected, SELinux on the guest buys
you stuff, but it is still a house built on sand.
> I guess I now can no longer slack off learning SELinux.
> Being that your a maintainer for Debian, I can presume that Debian has
> out of the box support for SELinux, no?
Actually, for out of the box support, fedora is still your best
bet. Having an corporation with a boss and supporting only a fraction
of what Debian supports makes it easier for fedora to achieve
compliance, and they have invested a lot of effort into SELinux to
boot. In Debian, with 20K packages, it is like herding cats.
However, that being said, the play machine below is just a lenny
box, with minor policy tweaks.
> Under an selinux system, I should be able to sandbox a ruby
> interpretor to an explicit list of directories, right?
Sure. You might have to write your own container policy, but
you are trying for a highly tailored situation. You can certainly keep
it out of /etc pretty easily.
Or ask Russel for his tweaked policy, heck, man, f root can't
mess up the play machine, your interpreter will have a hard time
breaking out.
> If so, this would be fantastic, as there is a part of the lesson plan that
> lets the user create and manipulate a file
> on the server.
>
>>
>> For instance, see http://www.coker.com.au/selinux/play.html
>> He gives out root passwords on the web page.
>>
>
> neat.
I'm serious. Log in. play around. See the wonders of SELinux.
manoj
--
It's always darkest just before the lights go out. Alex Clark
Manoj Srivastava <sriva...@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nlug-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
