system()

[Jesper Olsen]

I want to call a shell command from a mod_ruby cgi-script, eg.:

system("ls>out.txt")

But it is not possible with the $SAFE=1 level of the mod_ruby
installation provided by my web host provider (system returns false).

Is there any way I can hack this? The only thing I can think of
is to write a C-extension and make the call from there.

Or, of course, write the whole application in PHP or Python... :-(

Cheers
Jesper

 

[ts]

J> But it is not possible with the $SAFE=1 level of the mod_ruby
J> installation provided by my web host provider (system returns false).

Well, if system return false this is not because $SAFE = 1 but probably
because the process can't write in out.txt

svg% pwd
/usr
svg%

svg% ruby -e 'p system("ls>out.txt")'
sh: line 1: out.txt: No such file or directory
false
svg%


with $SAFE = 1, you can have a security error if the string is tainted

svg% cd
svg%

svg% ruby -e '$SAFE = 1; p system("ls>out.txt")'
true
svg%

svg% ruby -e '$SAFE = 1; p system("ls>out.txt".taint)'
-e:1:in `system': Insecure operation - system (SecurityError)
from -e:1
svg%



Guy Decoux

 

[Jesper Olsen]

J> But it is not possible with the $SAFE=1 level of the mod_ruby
J> installation provided by my web host provider (system returns false).

Well, if system return false this is not because $SAFE = 1 but probably
because the process can't write in out.txt

svg% pwd
/usr
svg%

svg% ruby -e 'p system("ls>out.txt")'
sh: line 1: out.txt: No such file or directory
false
svg%


with $SAFE = 1, you can have a security error if the string is tainted

svg% cd
svg%

svg% ruby -e '$SAFE = 1; p system("ls>out.txt")'
true
svg%

svg% ruby -e '$SAFE = 1; p system("ls>out.txt".taint)'
-e:1:in `system': Insecure operation - system (SecurityError)
from -e:1
svg%



Guy Decoux

Thanks Guy,

It is not as bad as I thought - it was not a problem of $SAFE (or
taint).

Rather a of problem the cgi-process not having permission to create
files
in that particular dir - so in this case also a "pure" ruby script
would have
failed (- but at least it would have produced an exception).

I should have checked that of course - but I assumed mod_ruby had a
fundamental flaw which prevented system to run properly.

The tainting and $SAFE levels are unique to Ruby - I tend to stumble
over them, rather than find them useful.

Jesper

 

[ts]

J> The tainting and $SAFE levels are unique to Ruby - I tend to stumble

no, no : a P language has something similar.

J> over them, rather than find them useful.

then never use plruby, it run with $SAFE >= 4


Guy Decoux

 

[Ara.T.Howard]

Date: 28 Dec 2003 23:41:56 -0800
From: Jesper Olsen <[email protected]>
Newsgroups: comp.lang.ruby
Subject: Re: system()

Rather a of problem the cgi-process not having permission to create files in
that particular dir - so in this case also a "pure" ruby script would have
failed (- but at least it would have produced an exception).

</snip>

a very helpful thing with any cgi program (mod_ruby, fastcgi, cgi, etc) is to
something _similar_ to this:

#!/usr/bin/ruby
require 'cgi'

cgi = CGI.new
content = nil
type = nil

begin
...
# content << t.expand data
...
# cgi stuff that can throw exceptions
...

rescue Exception => e
type = 'text/plain'
content = <<-html
#{ e }
#{ e.backtrace.join "\n" }
html

ensure
cgi.out('type' => type || 'text/html') { content }
end


you get the idea - you can even do this only when running in non-interactive
mode (STDIN.tty? #=> false)

saves TONS of debugging time. when code goes into production you can change
the message to a simply error message but mail yourself/log the backtrace.

-a
--

ATTN: please update your address books with address below!

===============================================================================
| EMAIL :: Ara [dot] T [dot] Howard [at] noaa [dot] gov
| PHONE :: 303.497.6469
| ADDRESS :: E/GC2 325 Broadway, Boulder, CO 80305-3328
| STP :: http://www.ngdc.noaa.gov/stp/
| NGDC :: http://www.ngdc.noaa.gov/
| NESDIS :: http://www.nesdis.noaa.gov/
| NOAA :: http://www.noaa.gov/
| US DOC :: http://www.commerce.gov/
|
| The difference between art and science is that science is what we
| understand well enough to explain to a computer.
| Art is everything else.
| -- Donald Knuth, "Discover"
|
| /bin/sh -c 'for l in ruby perl;do $l -e "print \"\x3a\x2d\x29\x0a\"";done'
===============================================================================