Greetings, I have been working on taking over _why's Try Ruby program. Essentially, it is a webpage that employs ajax to talk to a ruby interpretor on a server to give you an interactive shell. This interactive shell would come with lessons that would teach basic ruby scripting.
The trouble I am running into is deciding how to best secure this program. I noticed that it allows for the use of the system method; and yes I have been able to read /etc/passwd. I am not entirely sure how to disable that at the interpretor level, short of ripping it out of ruby, which seems like it might break other I/O functions. Instead, I have come to the idea of just simply making a minimal permission user for apache and ruby. In addition to that, create a chroot. I am tempted to then stick that inside a vm, but I am not sure if that is overkill. Simply not hosting this program is a non starter, but I also do care about making sure I am not deploying a huge security hole on my server. What other suggestions do any of you have in regards to responsibly deploying such a potential high risk program. Is a tripwire program also in order, and if so, how would you configure it? Thanks, Andrew --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
