Wondering how the practice of running code under the philosophy of least privilege works inside Rails -- or perhaps its a Ruby question. (New to both).
I'm used to a language called Lasso which has a security layer between the source code and the interpreter (or between the interpreter and the runtime engine or wherever). This layer allows me to create containers in which code executes with very specific access rights to resources like files, and databases (including filtering access to tables and specific fields), and even controls access to features of the language itself which allows me to deny access to network classes, or reflection commands, etc on a per-container basis.
While this can be used to jail individual code contributors to specific capabilities and assetts, I also find it useful for implementing Least Privilege.
If I have a routine that needs to read config files, I can create a "user" named configLoader which allows access to a specific path, and has read-only permissions for that path. I then wrap the code in container identified as that user. Now, if that code were ever hijacked in some never-before-known attack vector, it is useless with respect to file system access except for reading that path.
For databases, I can move what I would define in Lasso Admin to the database's own access management system by defining multiple users into those allowed to read only, access only specific tables, etc.
However, for file access, and even certain language feature restrictions, I don't see how that can be done in Ruby or in Rails.
Let's stick with files. How in Rails would I create a piece of file-reading code in a method with explicit restrictions to have access to path X only and only for reading purposes. IOW, even if I wrote file reading commands within the boundaries of this code to get another path or to write to a file, it would fail to work.
Does explanation make sense?
-- gw