On Mon, Aug 24, 2009 at 12:28 AM, Manoj Srivastava<sriva...@debian.org> wrote: > > On Mon, Aug 24 2009, andrew mcelroy wrote: > >> On Sun, Aug 23, 2009 at 11:28 PM, Manoj Srivastava >> <sriva...@debian.org>wrote: >> >>> >>> On Sun, Aug 23 2009, andrew mcelroy wrote: >>> >>> > I have been working on taking over _why's Try Ruby program. >>> > Essentially, it is a webpage that employs ajax to talk to a ruby >>> interpretor >>> > on a server to give you an interactive shell. >>> > This interactive shell would come with lessons that would teach basic >>> ruby >>> > scripting. >>> >>> > The trouble I am running into is deciding how to best secure this >>> program. >>> > I noticed that it allows for the use of the system method; and yes I have >>> > been able to read /etc/passwd. >>> >>> The obvious solution appears to be mandatory, role based access >>> controls, SELinux would do everything you want. chroots are not really >>> meant for security; and virtual machines are overkill. > >> I am pretty paranoid, so selinux inside a vm might be the way to go. > > Unless your host is also protected, SELinux on the guest buys > you stuff, but it is still a house built on sand. > >> I guess I now can no longer slack off learning SELinux. > >> Being that your a maintainer for Debian, I can presume that Debian has >> out of the box support for SELinux, no? > > Actually, for out of the box support, fedora is still your best > bet. Having an corporation with a boss and supporting only a fraction > of what Debian supports makes it easier for fedora to achieve > compliance, and they have invested a lot of effort into SELinux to > boot. In Debian, with 20K packages, it is like herding cats. > > However, that being said, the play machine below is just a lenny > box, with minor policy tweaks. > >> Under an selinux system, I should be able to sandbox a ruby >> interpretor to an explicit list of directories, right? > > Sure. You might have to write your own container policy, but > you are trying for a highly tailored situation. You can certainly keep > it out of /etc pretty easily. > > Or ask Russel for his tweaked policy, heck, man, f root can't > mess up the play machine, your interpreter will have a hard time > breaking out. > >> If so, this would be fantastic, as there is a part of the lesson plan that >> lets the user create and manipulate a file >> on the server. >> >>> >>> For instance, see http://www.coker.com.au/selinux/play.html >>> He gives out root passwords on the web page. >>> >> >> neat. > > I'm serious. Log in. play around. See the wonders of SELinux.
I'm curious. Has anybody been able to log in recently? I tried a few times before midnight and over the last hour, but I can't connect. $ ssh -x -a r...@play.coker.com.au ssh: connect to host play.coker.com.au port 22: Connection refused Think somebody borked the box? > > manoj > -- > It's always darkest just before the lights go out. Alex Clark > Manoj Srivastava <sriva...@debian.org> <http://www.debian.org/~srivasta/> > 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
