On Sun, Aug 23, 2009 at 11:28 PM, Manoj Srivastava <[email protected]>wrote:
> > On Sun, Aug 23 2009, andrew mcelroy wrote: > > > I have been working on taking over _why's Try Ruby program. > > Essentially, it is a webpage that employs ajax to talk to a ruby > interpretor > > on a server to give you an interactive shell. > > This interactive shell would come with lessons that would teach basic > ruby > > scripting. > > > The trouble I am running into is deciding how to best secure this > program. > > I noticed that it allows for the use of the system method; and yes I have > > been able to read /etc/passwd. > > The obvious solution appears to be mandatory, role based access > controls, SELinux would do everything you want. chroots are not really > meant for security; and virtual machines are overkill. I am pretty paranoid, so selinux inside a vm might be the way to go. I guess I now can no longer slack off learning SELinux. Being that your a maintainer for Debian, I can presume that Debian has out of the box support for SELinux, no? Under an selinux system, I should be able to sandbox a ruby interpretor to an explicit list of directories, right? If so, this would be fantastic, as there is a part of the lesson plan that lets the user create and manipulate a file on the server. > > For instance, see http://www.coker.com.au/selinux/play.html > He gives out root passwords on the web page. > neat. > > manoj > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
