Security of ruby-hosted web sites

[James Britt]

I have a friend interested in hosting ruby web sites (with apache, on I
believe redhat 7), using either mod_ruby or cgi (or perhaps both, at
user discretion). I've got him intersted in Ruby, and he wants some
assurnace that hosting others Ruby sites won't be a problem.

Aside from general site security (don't run apache as root, etc.) is
Ruby any more or less secure than, say, Perl or PHP?

Is mod_ruby inherently safer (or not) than CGI?

Can users be prevented from messing with $SAFE?

The sense I get from perusing past ruby-talk posts on the matter is
that, given proper site security, users may be at liberty to expose
their own sites to cracks, but the server as a whole would not be at
risk. Is this true? (It certainly *seems* that it should be so.)


Thanks; any pointers to general web site security appreciated as well.


James Britt

 

[Josef 'Jupp' SCHUGT]

Hi!

* James Britt; 2003-12-14, 20:53 UTC:

Aside from general site security (don't run apache as root, etc.)
is Ruby any more or less secure than, say, Perl or PHP?

Security issues with server-side applications in almost any case
result from bugs in the applications and the web server.

The most important risk is the application no matter if it is written
in Perl, PHP or Ruby. The majority of attacks results from weak
security of these programs.

The next important point is the Apache web server. Not that it is
buggy but it is the most widely used web server software so it
permanently is under heavy fire. Even Achilles would get injured in
that situation - one bullet or the other would find its way to
Achilles' heel.

Unless you have done your best to minimize the above problems - the
former can be minimized by using $SAFE, the latter by applying
security patches ASAP it makes no sense to look into the security of
Ruby itself.

It's always the weakest link of a chain that needs most attention.

Just my 2 Euro Cent.

Josef 'Jupp' SCHUGT