Hiding source code

[|MKSM|]

Hello.

I have written an app in Ruby for my company and I was the only one
that had acess to read/execute it. I've hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.

Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.

Regards,

Ricardo Amorim
mapaBRASIL.net

 

[|MKSM|]

The setuid idea seems nice to me. Yes, it might uncover some security
holes, but it still is much better than having the source code
exposed.

I've used setuid on the ruby executable and chmod 000 a test ruby
script. The user cannot read the file, but ruby can execute it, just
great. Problem is that dependencies are broken. It cannot locate
another script in the same directory. " require 'lib' " fails with a
file not found error.

Anyways, progress was made. Thanks.

Regards,

Ricardo Amorim
mapaBRASIL.net

 

[yermej]

Hello.

I have written an app in Ruby for my company and I was the only one
that had acess to read/execute it. I've hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.

Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.

Regards,

Ricardo Amorim
mapaBRASIL.net

I guess that's not really a Ruby question, but I have an idea...

Sudo may be the best answer. Allow the user to sudo the Ruby app as
another user with read access to the script. You'll want to read the
sudoers man page as you'll need the no authentication option and other
tidbits. Then you can wrap up the sudo command (something like sudo -u
reading_user /path/to/app) with an alias or shell script that your
underling can call. There are still security concerns, but you have
more control than with the setuid option, I think.

Jeremy

 

[John Joyce]

If you can't trust your worker, who can you trust?
If you can't trust them, don't give them the job.

you could write a tool in C to act as an intermediary.
Have it take whatever args you give to the Ruby script.
But allow the C tool to run under a uid used by the system, but allow
the user execute priveledges on the C tool.
The C tool then runs the Ruby script owned by the other uid and
passes the args to it, returning to the user any important results.

It's convoluted but any solution is going to be, other than hiring
somebody you trust.

 

[Logan Capaldo]

It seems that using setuid removes '.' from $LOAD_PATH. If you add
$LOAD_PATH.push('.') it should solve the loading issue. As an aside,
you can minimise security issues by having a user other than root own
the ruby executable. Perhaps the same user who owns the code? but this
would probably cause issues with gems and permissions. There lots of
different approaches you could take from there, it all depends on what
you like. One nice feature I've noticed is that -e is not allowed when
running setuid which means a user can't simply do ruby -e 'puts
File.read("test.rb")', Although, there is nothing to stop them putting
that code in a file and running it that way. Covering up that loop
hole I can't help with.

As soon as you push '.' it's game over.

foo.rb:
__SCRIPT_LINES = {}
at_exit { p __SCRIPT_LINES }

ruby -rfoo the_script_that_needs_to_be_invisible.rb

 

[Shai Rosenfeld]

I have written an app in Ruby for my company and I was the only one

that had acess to read/execute it. I've hired someone to help me with
daily work and that includes having him execute a set of those Ruby
scripts.

Is it possible to allow him to only execute the code and not give read
permission? All boxes are running Linux.

i may have overlooked something but what is wrong with using chmod?

http://www.computerhope.com/unix/uchmod.htm

-rwx--x--- 1 mksm youandfriendgroup 7264 2006-12-07 13:42
rubyscript.rb

in the example above only you have all Read-Write-eXecute permissions,
and you're friend only has eXecute permissions.

 

[Logan Capaldo]

i may have overlooked something but what is wrong with using chmod?

http://www.computerhope.com/unix/uchmod.htm

-rwx--x--- 1 mksm youandfriendgroup 7264 2006-12-07 13:42
rubyscript.rb

in the example above only you have all Read-Write-eXecute permissions,
and you're friend only has eXecute permissions.

Ruby scripts are not ELF/Mach-O/PE/"whatever your system uses"
binaries. Your friend needs to be able to read the script to execute
it.

 

[John Joyce]

Ruby scripts are not ELF/Mach-O/PE/"whatever your system uses"
binaries. Your friend needs to be able to read the script to execute
it.

Well, the permissions settings need to include the UID of the process
that tries to use the script.
It is possible to make it a system level UID where users can run it
indirectly, but not open and read the file. But any admin can change
that, and a good admin would probably be very suspicious of it.

 

[Martin DeMello]

Ruby scripts are not ELF/Mach-O/PE/"whatever your system uses"
binaries. Your friend needs to be able to read the script to execute
it.

Haven't tried this myself, but rubyscript2exe might work with chmod -r

martin

 

[Joel VanderWerf]

Haven't tried this myself, but rubyscript2exe might work with chmod -r

rubyscript2exe unpacks to a tmp dir, and then loads the files more or
less normally, doesn't it?