On 10/7/07, Christian <chippersbox / gmail.com> wrote:
> It seems that using setuid removes '.' from $LOAD_PATH. If you add
> $LOAD_PATH.push('.') it should solve the loading issue. As an aside,
> you can minimise security issues by having a user other than root own
> the ruby executable. Perhaps the same user who owns the code? but this
> would probably cause issues with gems and permissions. There lots of
> different approaches you could take from there, it all depends on what
> you like. One nice feature I've noticed is that -e is not allowed when
> running setuid which means a user can't simply do ruby -e 'puts
> File.read("test.rb")', Although, there is nothing to stop them putting
> that code in a file and running it that way. Covering up that loop
> hole I can't help with.
>

As soon as you push '.' it's game over.

foo.rb:
__SCRIPT_LINES = {}
at_exit { p __SCRIPT_LINES }

ruby -rfoo the_script_that_needs_to_be_invisible.rb