If you can't trust your worker, who can you trust?
If you can't trust them, don't give them the job.

you could write a tool in C to act as an intermediary.
Have it take whatever args you give to the Ruby script.
But allow the C tool to run under a uid used by the system, but allow  
the user execute priveledges on the C tool.
The C tool then runs the Ruby script owned by the other uid and  
passes the args to it, returning to the user any important results.

It's convoluted but any solution is going to be, other than hiring  
somebody you trust.