Issue #8468 has been updated by charliesome (Charlie Somerville).


Personally, I don't think Ruby should have *any* security features like $SAFE or granular sandboxing at all.

Trying to build a sandboxed environment for running untrusted code at the same level as the code being run is a fundamentally flawed idea. If a $SAFE check is missed in just one place - the entire security of the system comes tumbling down.

Granular sandboxing like the JVM provides is also flawed in the same way as $SAFE. Sure, it might be marginally better in some ways, but it still shares the same weakness as $SAFE - one missing check anywhere in the system (whether in CRuby itself, or a C extension) compromises the security of the entire system. You only need to look at all the Java 0-days to see how a single tiny mistake made in privileged code can lead to total compromise.

The *real* solution to this problem is to run a sandbox at the level above Ruby. I run untrusted code on http://eval.in inside a ptrace based sandbox. System calls must be explicitly whitelisted, and strict checks are performed on arguments before allowing a system call to be made. This significantly reduces the attack surface to just a handful of system calls, which is far better than trying to make sure that every single part of a massive programming language like Ruby is secure

Instead of encouraging people to rely on flawed/broken security models like $SAFE or VM-level granular sandboxing, we should encourage them to rely on a more robust OS-level solution instead.

I would be quite happy to see features like $SAFE, trust, and taint removed from the Ruby programming language.
----------------------------------------
Feature #8468: Remove $SAFE
https://bugs.ruby-lang.org/issues/8468#change-39649

Author: shugo (Shugo Maeda)
Status: Feedback
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: core
Target version: current: 2.1.0


Yesterday, at GitHub Tokyo drinkup (thanks, GitHub!), Matz agreed to remove the $SAFE == 4 feature from Ruby 2.1.
Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4, also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least level 4).

Furthermore, I'm wondering whether $SAFE should be removed entirely, or not.
Is there anyone using $SAFE?


-- 
http://bugs.ruby-lang.org/