tags:

views:

108

answers:

4
+2  Q: 

Storing a shared key for Rails application

One of my Rails applications is going to depend on a secret key in memory, so all of its functions will only be available once administrator goes to a certain page and uploads the valid key.

The problem is that this key needs to be stored securely, so no other processes on the same machine should be able to access it (so memcached and filesystem are not suitable). One good idea would be just to store it in some configuration variable in the application, but newly spawned instances won't have access to that variable. Any thoughts how to implement this on RubyEE/Apache/mod_passenger?

A: 

Encrypt it heavily in the filesystem?

 2009-05-31 16:47:11
A: 

What about treating it like a regular password, and using a salted hash? Once the user authenticates, he has access to the functions of the website.

Todd Gardner  2009-05-31 17:04:06
This key should be available during the whole application lifetime, as it will be used to encrypt/decrypt information.
Oleg Shaldybin  2009-05-31 17:07:08
+1  A: 

I would use the filesystem, with read access only to the file owner, and ensure the ruby process is the only process owned by this user. (using chmod 400 file)

You can get more complex than that, but it all boils down to using the unix users and permissions.

yhager  2009-05-31 17:11:19
+3  A: 

there is really no way to accomplish that goal. (this is the same problem all DRM systems have)

You can't keep things secret from the operating system. Your application has to have the key somewhere in memory and the operating system kernel can read any memory location it wants to.

You need to be able to trust the operating system, which means that you then can also trust the operating system to properly enforce file access permissions. This in turn means that can store the key in a file that only the rails-user-process can read.

Think of it this way: even if you had no key at all, what is to stop an attacker on the server from simply changing the application code itself to gain access to the disabled functionality?

levinalex  2009-05-31 17:27:48
The fact that kernel can access the key is fine for me, I just don't want it to be accessible to other users' processes. If there was a shared memory area accessible to all of Rails instances, I would keep it there. But it seems to me that every instance only accesses its own copy of data.
Oleg Shaldybin  2009-06-01 10:13:20

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?