[Seaside] Live Ruby on rails tutorial sites

Gastón Dall' Oglio gaston.dalloglio at gmail.com
Tue Jan 31 14:30:13 UTC 2012 

Hi Norbert.

> You need to define what you are willing to risk.



> Chroot and jail are similar and basically isolate just on the filesystem
layer.









2012/1/31 Norbert Hartl <norbert at hartl.name>

> You need to define what you are willing to risk.
>

Yes right, I just have interesting about jails, but just now I do not have
a real scenario, I'm the only user in my hosting.


> Then you need to define your sandbox. Chroot and jail are similar and
> basically isolate just on the filesystem layer. Access to other resources
> is not easy possible because inside the jail there is no default access.
> But you give away control over the jailed environment. A malicious person
> can still bring his own binaries and abuse the network.
>

As far I know, jail are more like a OS virtual machine, becouse it be able
to control other resource not only file system, like your proccess and
network configurations, see See: http://en.wikipedia.org/wiki/FreeBSD_jail.
But not controled the cpu and ram utilization, and then yes a user can be
abusing of them and network. But for control the network usage i think that
the best approach is a firewall external to the jails (and good switch :).


> If you are looking for better isolation and you are not to eager to use
> freeBSD then have a look at linux containers LXC [1]. Anyway you give away
> access to resources like the network.
>

Thanks for the data, I check lxc that mu hosting is a Linux box.

If you need better isolation then you would need to get rid of the
> primitives in the vm. Probably it is not to hard to get rid of system
> accessing primitives after the image has been loaded and changes etc. are
> disabled. I think Igor proposed something with an irreversible primitive
> call that disables some primitives.
>

Very advance for my, but sounds like the better solution.


>
> my 2 cents,
>
> Norbert
>

Thanks.
Gastón.


>
> [1] http://lxc.sourceforge.net/
>
> Am 31.01.2012 um 13:36 schrieb Gastón Dall' Oglio:
>
> Ah ok, I never :) But I have curiosity for this tecnology of jails in
> FreeBSD for hosted seaside instances.
> Regards.
>
> 2012/1/28 laurent laffont <laurent.laffont at gmail.com>
>
>> 2012/1/28 Gastón Dall' Oglio <gaston.dalloglio at gmail.com>
>>
>>> Laurent, just for curiosity, in FreeBSD I know that existing Jails, do
>>> you use FreeBSD jails?
>>> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
>>>
>>
>> No. I have not booted a FreeBSD for years .....
>>
>> Laurent
>>
>>
>>
>>>
>>> 2012/1/25 laurent laffont <laurent.laffont at gmail.com>
>>>
>>>> On Tue, Jan 24, 2012 at 2:42 PM, Nick Ager <nick.ager at gmail.com> wrote:
>>>>
>>>>> Ce n'est pas si facile que ça.
>>>>>>
>>>>>> (1 perform: ('cla', 'ss') asSymbol) environment at: ('Comp', 'iler')
>>>>>> asSymbol
>>>>>>
>>>>>> And again, you give the web app user the full rights of the OS user
>>>>>> that runs the image. Deleting the code that owned you after the
>>>>>> session times out doesn't solve a thing once you've been owned. It
>>>>>> also doesn't help if two users at the same time want to work on a
>>>>>> class named 'Test' or 'MyClass' or 'Example'.
>>>>>>
>>>>>
>>>>> you could always use chroot [1] and isolate each web app user's
>>>>> environment.
>>>>>
>>>>> [1] http://en.wikipedia.org/wiki/Chroot
>>>>>
>>>>>
>>>> On SmallHarbour we use a secured VM so each image run in a "jail" and
>>>> cannot access filesystem out of its root dir. There's some (ugly / hacky)
>>>> automated image deployment. If someone want to play with I can help.
>>>>
>>>> Laurent
>>>>
>>>>
>>>>
>>>>> _______________________________________________
>>>>> seaside mailing list
>>>>> seaside at lists.squeakfoundation.org
>>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> seaside mailing list
>>>> seaside at lists.squeakfoundation.org
>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>>>
>>>>
>>>
>>> _______________________________________________
>>> seaside mailing list
>>> seaside at lists.squeakfoundation.org
>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>>
>>>
>>
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>
>>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20120131/5b9af32f/attachment-0001.htm

More information about the seaside mailing list