[Backgroundrb-devel] Backgroundrb in shared hosting environment

Gaël SECHAUD gael.sechaud at dev-ruby.zefiris.org
Mon May 25 12:10:35 EDT 2009 

Hi,

> I am running a linux shared hosting environment, and one of my users 
> would like to make use of an app (Coupra Express) which uses 
> backgroundrb to process certain tasks. This requires that I run 
> backgroundrb as a service so that it is always available to the client.

I recently had the same problem: at first I thought of setting iptables rules,
but it comes to be a pain, as I needed to set one rule by user running on my
environment.

An other solution was to patch the kernel with GRSec, but I'm not fond of this
solution.

So I come with a third solution: patching backgroundrb with a modification of
mine (you will find the patch and the revision to which its applied), adding
a password support. It's quite a temporary solution, as I haven't figured an
other solution.

> What I am trying to assess is if there are potential security risks in 
> running this in a shared hosting environment. I assume that this service 
> would be available to other users on the same server as well - if so are 
> there any security issues that I should be aware of there? I read on 
> http://www.ruby-forum.com/topic/69440 that backgroundrb can be 
> configured to only accept connections from localhost (I believe this was 
> the default behaviour)?

You can configure backgroundrb to only accept connections from localhost, but I
think it won't solve your problem if you have multiples clients running on your host:
even if backgroundrb is binded to localhost, other client who have solution on your
host can still access other instance of backgroundrb, by tweaking their backgroundrb.yml
(which I consider to be a security issue).

Regards.

-- 
SECHAUD Gaël

----- How To -----

To add password support, just patch backgroundrb and add the following
entry in your backgrounrb config (commonly
RAILS_ROOT/config/backgroundrb.yml)

:backgroundrb:
  [..]
  :password: Your_Password

----- revision info -----

svn info
Path: .
URL: http://svn.devjavu.com/backgroundrb/trunk
Repository Root: http://svn.devjavu.com/backgroundrb
Repository UUID: 69d54aea-511f-0410-a924-81c4482807e4
Revision: 331
Node Kind: directory
Schedule: normal
Last Changed Author: gethemant at gmail.com
Last Changed Rev: 330
Last Changed Date: 2008-10-14 12:51:23 +0200 (Tue, 14 Oct 2008)

----- patch -----

diff -crB backgroundrb/lib/backgroundrb/bdrb_connection.rb
backgroundrb-patched/lib/backgroundrb/bdrb_connection.rb
*** backgroundrb/lib/backgroundrb/bdrb_connection.rb	2009-05-25
17:18:35.000000000 +0200
--- backgroundrb-patched/lib/backgroundrb/bdrb_connection.rb	2009-05-25
16:48:48.000000000 +0200
***************
*** 8,13 ****
--- 8,14 ----
        @server_port = port
        @cluster_conn = cluster_conn
        @connection_status = true
+       @password = BDRB_CONFIG[:backgroundrb][:password].nil? ? false :
BDRB_CONFIG[:backgroundrb][:password]
      end


***************
*** 66,71 ****
--- 67,73 ----
      end

      def dump_object data
+       data[:password] = @password
        establish_connection
        raise BackgrounDRb::BdrbConnError.new("Error while connecting to
the backgroundrb server #{server_info}") unless @connection_status

diff -crB backgroundrb/server/lib/master_worker.rb
backgroundrb-patched/server/lib/master_worker.rb
*** backgroundrb/server/lib/master_worker.rb	2009-05-25
17:18:35.000000000 +0200
--- backgroundrb-patched/server/lib/master_worker.rb	2009-05-25
16:50:53.000000000 +0200
***************
*** 25,31 ****
    end

    class MasterWorker
!     attr_accessor :debug_logger
      include BackgrounDRb::BdrbServerHelper
      # receives requests from rails and based on request type invoke
appropriate method
      def receive_data p_data
--- 25,31 ----
    end

    class MasterWorker
!     attr_accessor :debug_logger,:password
      include BackgrounDRb::BdrbServerHelper
      # receives requests from rails and based on request type invoke
appropriate method
      def receive_data p_data
***************
*** 33,38 ****
--- 33,45 ----
          begin
            t_data = load_data b_data
            if t_data
+               # check password
+             if @password && t_data[:password] != @password
+               debug_logger.info("Invalid password :
#{t_data.inspect}")
+               error_password(t_data)
+               return
+             end
+
              case t_data[:type]
                # async method invocation
              when :async_invoke: async_method_invoke(t_data)
***************
*** 55,60 ****
--- 62,76 ----
        end
      end

+     # Send password require info to the user
+     def error_password(t_data)
+       worker_name_key =
gen_worker_key(t_data[:worker],t_data[:worker_key])
+       worker_instance = reactor.live_workers[worker_name_key]
+       info_response = { :error => "Password required / Wrong
password" }
+       worker_instance ? (info_response[:status] = :running) :
(info_response[:status] = :stopped)
+       send_object(info_response)
+     end
+
      # Send worker info to the user
      def pass_worker_info(t_data)
        worker_name_key =
gen_worker_key(t_data[:worker],t_data[:worker_key])
***************
*** 163,168 ****
--- 179,185 ----
      # called whenever a new connection is made.Initializes binary data
parser
      def post_init
        @tokenizer = Packet::BinParser.new
+       @password = BDRB_CONFIG[:backgroundrb][:password].nil? ? false :
BDRB_CONFIG[:backgroundrb][:password]
      end
      def connection_completed; end
    end

More information about the Backgroundrb-devel mailing list