Page 1 of 1
[02:56:19] Rumbles: hi, can anyone advise how to run a rails console in a sandbox which restricts the user from accessing system commands? http://superuser.com/questions/1009250/forcing-a-user-on-login-in-to-a-rails-console-and-prevent-them-access-system-co
[10:31:34] Rumbles: can anyone suggest how I would sandbox a rails process, so that a user can connect to a machine and have access to a rails console, but no system commands? I've posted in detail here: http://serverfault.com/questions/741073/forcing-a-user-on-remote-connection-in-to-a-rails-console-and-prevent-them-acc
[08:15:27] Rumbles: can anyone answer my question on how to restrict a user to a ruby console on a rmeote connection? http://superuser.com/questions/1009250/forcing-a-user-in-to-a-ruby-console-which-cannot-run-any-system-commands
[15:59:48] Rumbles: hi, is there any way to stop a user in a ruby console from running system commands?
[16:12:38] Rumbles: Ox0dea, so what I'm trying to is to allow a user to ssh on to a box, and if the session comes from a certain key, it just runs this script: http://fpaste.org/297464/ This puts them in the ruby console in a particular environment. The idea is to allow a dev on to a machine to check if things are working
[16:13:05] Rumbles: I showed my boss and he was able to run commands like `rm -rf *` or `bash` and break out in to a bash console
[16:19:09] Rumbles: okay, tha's great, can you tell me how? I'm trying to search for how to sandbox, but all my googleing has returned so far is to run the ruby c with --sandbox
[16:38:42] Rumbles: havenwood, I am familiar with the concept of chroot jails, I have used them in the past with sftp setup, but I don't know how I would do that when running the the ruby console
[16:40:30] Rumbles: my google searches only returned the --sandbox flag and that didn't stop me from being able to run system commands
[18:27:31] Rumbles: so, I'm still trying to figure out how to load a ruby console without giving the user access to the bash env
[18:28:06] Rumbles: I'm wondering can I run a chroot command as the first command run in the ruby console when it loads?
[18:28:49] Rumbles: since, I don't know which folder I want to chroot to until the user has selected it as part of the bash script
[18:33:19] Rumbles: so, my technique was to have the command listed in the authorized_keys fileas explained here: http://fpaste.org/297515/
[18:34:15] Rumbles: but I want to chroot the user after the console is started, is there a way to run the chroot in that script? or would I have to rethink my approach?
[18:39:32] Rumbles: I would have to copy everyhting the user needs to run ruby console before I start in to the app_root each time the user wants to go in
[18:39:42] Rumbles: and I don't know where the user is going to work until they have made a selection
[18:41:37] Rumbles: well, in dev where I am testing our server has a load of apps, in prod that wouldn't normally be an issue
[18:42:16] Rumbles: do you have to be root to run something like Dir.chroot("/var/chroot/mychroot") in ruby ?
[19:09:33] Rumbles: damn, that's a shame, that looked promising Ox0dea but required linux => 3.8, and I'm going to have to do this on ubuntu 14.04 machines running kernel 3.19 :(