Friday, April 28, 2006

Ruby on Rails and Security

Ruby on Rails is the most recently hyped language, so I though about testing it out on my development server. I followed the tutorial available on the RoR website. It went fine until I did a ./scripts/generate command and got lot of syntax errrors:

/usr/lib/ruby/1.8/yaml.rb:133:in `load': syntax error on line 27, col 2: `  host: localhost' (ArgumentError)
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:459:in `database_configuration'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:181:in `initialize_database'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:84:in `process'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:42:in `run'
from ../config/../config/environment.rb:13
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in `require'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/commands/generate.rb:1
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/


I started looking around at the folder structure that Ruby installs itself into when you create a new RoR application. Below my main folder, which the tutorial instructed my to create an alias or virtual directory for is the config folder. Inside the config folder is the database.yml file, holding my database information, with accounts and hard-coded passwords. (On my box, it's all localhost only, but still...)

Just to check, I fired up my browser and entered http://myserver/myrailsalias/config/database.yml. All the information popped up. I changed the Apache alias to /mypathtorails/public/ which I didn't see in the tutorial. This seems to be a lot more secure. This doesn't mean RoR is any more or less secure than any other interpreted scripting language for web applications, just that right now, it's easy to install it in a less secure manner.

What's the point? Know what you're installing, where it installs, what permissions it needs, and what context it runs as. And don't put your database.yml someplace where anyone can download it. I know there are websites where I could find it, but I'm not going to try. That doesn't mean someone else isn't writing a bot to find it right now.

Oh, and know how Apache works and httpd.conf works, too. All that is a lot to expect for people looking for a simple programming language.


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)