Home/ Questions/Q 570303
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T13:23:13+00:00

I have a server application that allows users to execute their own ruby scripts.

  • 0

I have a server application that allows users to execute their own ruby scripts. The server that the scripts run on is a virtual instance on Amazon’s EC2 so no permanent damage can be done. However I’d like to take whatever precautions I can to stop any dangerous/malicious script, reboots are still something I’d like to avoid.

At the moment I disallow any scripts that contain “require” or “include”. I think it would actualy be safe to allow “include”? There is no need for any users to access the server’s file system so if I disallow any occurrence of the string “file.” will that prevent users being able to access the server’s file system?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Disallowing occurrence of the string “file” will not help you at all. They still have eval, pack/unpack, Dir, ` and tons of other stuff.

    YMMV, but this is what I would have done:

    • Run the ruby process as an unprivileged user
    • in a jailed environment (i.e. chroot, freebsd jail or equivalent)
    • in a stripped environment (no suids, no other unnecessary files — bare minimum is best)
    • with $SAFE >= 2
    • and with no write access to any files/folders

    Probably still not secure, but it’s a start.

    EDIT: Might also be a good idea to set limits on system resource consumption using ulimit or equivalent.

    • 0