From: Bill Kelly <billk@...>
Date: 2011-06-11T05:41:35+09:00
Subject: [ruby-core:36950] Re: Object#trust vs Object#taint

Hi,

James Gray wrote:
> 
> Do we have any idea if $SAFE is actually used?
> 
> I worry that people who find themselves needing that much security are
> forced to skip over $SAFE and use more robust options.  I admit that I'm
> totally guessing about that though.

We use $SAFE = 4 to create a sandbox for the
execution of semi-trusted scripts, conforming
to our application's plug-in API.

"Semi-trusted" meaning of third-party origin,
but not intentionally malicious.

(I wouldn't bet anything valuable that our
$SAFE = 4 sandbox could contain a maliciously
coded script intent on breaking out of it.)

The specific case we're guarding against is
a well-intentioned but buggy third-party
plug-in, which, when installed by one of our
users and executed by our application, might
end up destroying data on the user's
filesystem.

The $SAFE = 4 sandbox only allows I/O through
our plug-in API, which restricts I/O to only
the set of subdirectories and/or files that
are pertinent to the operation being requested
of the plug-in.

  *  *  *

Note, I'm not particularly wedded to the $SAFE
security model.  (I have used $SAFE = 1 in a
few web/CGI scripts.)

What I'd really like is a mechanism in ruby
that would provide a secure sandbox that could
contain completely untrusted code.


Regards,

Bill