Date:  Thu, 23 Sep 2004 20:09:58 +0200
From:  Nagy Bence <tipogral@...>
Subject:  Re: Security error with ERuby
To:  modruby@... (modruby ML)
Message-Id:  <20040923200958.0662acef.tipogral@...>
In-Reply-To:  <20040923195657.1a8438fc.tipogral@...>
References:  <20040920121633.5f35af04.tipogral@...>	<4150CCB2.6040504@...>	<41509A6D.8030706@...>	<4152CEBF.2080307@...>	<20040923195657.1a8438fc.tipogral@...>
X-Mail-Count: 01314

> All of my directories under /usr/lib/ruby are owned by root and have
> 755 rights, the files I want to load (cgi.rb, date.rb ...) have 644.

Now I tried again my minimal example

<%=require('cgi')%>

It works with RubySafeLevel 0 (writes 'true' out), but fails otherwise
with the following error message:

[Thu Sep 23 20:04:40 2004] [error] mod_ruby: error in ruby
[Thu Sep 23 20:04:41 2004] [error] mod_ruby:
/home/gimb/public_html/test.rhtml:1:in `require': loading from unsafe
path /usr/lib/ruby/site_ruby/1.8:/usr/lib/ruby/site_rub
y/1.8/i686-linux:/usr/lib/ruby/site_ruby:/usr/lib/ruby/1.8:/usr/lib/rub
y/1.8/i686-linux:. (SecurityError)[Thu Sep 23 20:04:41 2004] [error]
mod_ruby:   from /home/gimb/public_html/test.rhtml:1[Thu Sep 23 20:04:41
2004] [error] mod_ruby:   from (eval):0[Thu Sep 23 20:04:41 2004]
[error] mod_ruby:   from /usr/lib/ruby/1.8/apache/eruby-run.rb:116:in
`eval_string_wrap'[Thu Sep 23 20:04:41 2004] [error] mod_ruby:   from
/usr/lib/ruby/1.8/apache/eruby-run.rb:116:in `run'[Thu Sep 23 20:04:41
2004] [error] mod_ruby:   from
/usr/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler'

Greetings,

Bence