[Seaside] Live Ruby on rails tutorial sites
Norbert Hartl
norbert at hartl.name
Tue Jan 31 13:19:44 UTC 2012
You need to define what you are willing to risk. Then you need to define your sandbox. Chroot and jail are similar and basically isolate just on the filesystem layer. Access to other resources is not easy possible because inside the jail there is no default access. But you give away control over the jailed environment. A malicious person can still bring his own binaries and abuse the network.
If you are looking for better isolation and you are not to eager to use freeBSD then have a look at linux containers LXC [1]. Anyway you give away access to resources like the network.
If you need better isolation then you would need to get rid of the primitives in the vm. Probably it is not to hard to get rid of system accessing primitives after the image has been loaded and changes etc. are disabled. I think Igor proposed something with an irreversible primitive call that disables some primitives.
my 2 cents,
Norbert
[1] http://lxc.sourceforge.net/
Am 31.01.2012 um 13:36 schrieb Gastón Dall' Oglio:
> Ah ok, I never :) But I have curiosity for this tecnology of jails in FreeBSD for hosted seaside instances.
> Regards.
>
> 2012/1/28 laurent laffont <laurent.laffont at gmail.com>
> 2012/1/28 Gastón Dall' Oglio <gaston.dalloglio at gmail.com>
> Laurent, just for curiosity, in FreeBSD I know that existing Jails, do you use FreeBSD jails?
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
>
> No. I have not booted a FreeBSD for years .....
>
> Laurent
>
>
>
> 2012/1/25 laurent laffont <laurent.laffont at gmail.com>
> On Tue, Jan 24, 2012 at 2:42 PM, Nick Ager <nick.ager at gmail.com> wrote:
> Ce n'est pas si facile que ça.
>
> (1 perform: ('cla', 'ss') asSymbol) environment at: ('Comp', 'iler') asSymbol
>
> And again, you give the web app user the full rights of the OS user
> that runs the image. Deleting the code that owned you after the
> session times out doesn't solve a thing once you've been owned. It
> also doesn't help if two users at the same time want to work on a
> class named 'Test' or 'MyClass' or 'Example'.
>
> you could always use chroot [1] and isolate each web app user's environment.
>
> [1] http://en.wikipedia.org/wiki/Chroot
>
>
> On SmallHarbour we use a secured VM so each image run in a "jail" and cannot access filesystem out of its root dir. There's some (ugly / hacky) automated image deployment. If someone want to play with I can help.
>
> Laurent
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20120131/ec66761c/attachment.htm
More information about the seaside
mailing list