I have an existing Ruby on Rails app that work fine, but now I need to add a line to a system file that the app normally does not have access to. Is there a simple way to open the file as SU? (Ruby 1.9.3, Rails 3.2, Ubuntu 12.4)
Asked
Active
Viewed 101 times
-3
-
Run the script as a user with the privileges neccesary? – Niels B. May 04 '13 at 21:28
-
Why do you need to do this? – Dave Newton May 04 '13 at 22:18
-
2@BorisStitnicky - you are a funny man. :-) – Niels B. May 04 '13 at 22:19
2 Answers
2
It's a bad idea from a security perspective to allow general su or sudo privileges to an application that accepts requests from the world. A couple safer approaches:
1) Change the group ownership of the particular system file to share a group which the application user also belongs to and set the group-write permission on that file.
# assuming you want to manipulate /etc/foobar and your app runs as user rails in group rails
chgrp rails /etc/foobar
chmod g+rw /etc/foobar
2) Safer yet. Write a separate program that implements limited changes to the target system file based on arguments passed to it. Enable your rails app user to have passwordless sudo privledge to execute this one program. See sudoers documentation for info on how to enable this limited privilege.
With either method, be careful not to use data you got from outside the application source without carefully validating it via formal parser and/or whitelist.
dbenhur
- 20,008
- 4
- 48
- 45
-
Exactly. Please give yours scripts permissions they need for their work, as dbenhur suggests. But, *turns to @dbenhur* that doesn't mean you have to downvote educative jokes. +1 to you. – Boris Stitnicky May 04 '13 at 21:44
-
Sorry to downvote @BorisStitnicky. Such jokes about good security practice might seem obviously bad to the experienced, but too many inexperienced people just cut and paste code off of stack overflow without understanding it well to let it stand. In my first scan, my eyes jumped to your code excerpt and completely missed your warning "This is how you mess up your security". – dbenhur May 04 '13 at 21:54
-
My problem is that the site works fine and is very secure. The user is authenticated via ssh before reaching this point and every action is logged. There is just one flaw that we did not predict and that is adding a new line to a file that is not owned by them or their group. For security we don't let them have access to this file, so I need to do it for them. – Robert McCabe May 04 '13 at 22:18
-
@RobertMcCabe The fact that you're asking this question on stack overflow is a strong indicator that your statement "the site ... is very secure" is likely baseless -- that is, you don't appear to have the security expertise to make that judgement. What part of my answer isn't applicable to what you're trying to do? Perhaps you should explain the problem more thoroughly in your question. – dbenhur May 04 '13 at 22:37
-
Please don't judge what you know nothing about. The site is up for some time and has been tested. A problem has come up that requires us to make a change. I'm not being paid for the work and don't have the time to spare hunting for an ideal solution. The simplest solution is to add a line to a file that is part of the site configuration, but the app only has read permission on the file. – Robert McCabe May 04 '13 at 23:33
-1
This is how you mess up your security:
my_user_password = "f00bar"
app_I_want_to_run = "whoami"
system "echo %s | sudo -S %s" % [ my_user_password, app_I_want_to_run ]
#=> root
And don't forget to publish it as a gem.
Boris Stitnicky
- 12,444
- 5
- 57
- 74