Ruby on Rails and SafeLevel

This is another boring tech entry. My loving family (Ashley and Abbey in particular, are you reading?) can safely pass this one over.

I’ve set up Ruby on Rails several times now. Running the Webrick server that comes with it is nice for quick app development, but it’s not exactly a production Web server. So you obviously want to get it running with apache and mod_ruby. On one server recently, I got this to work without issue. Tonight, I’ve blown nearly three hours on it on another server.

The problem was that I kept getting security error messages like the following:

/usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:99:in `[]’: Insecure operation – [] (SecurityError)

And there’s precious little in Google that tells you precisely what this means, at least not until you use just the right search terms. It turns out that ruby tries to protect your system, and as part of that effort, it runs in a sort of safe mode that restricts some things your server can do. Which means that you get pretty much inexplicable error messages in your apache log. In my Googling, I read several things about setting $SAFE = 0 or passing the -T option to /usr/local/bin/ruby in the first line of your file to change the safety level, but it turns out that you can’t decrease the safety level using the $SAFE=0 method, and the default level for mod_ruby is 1.

So I Googled around some more and found the apache directive RubySafeLevel, but that too gives you an error (nonfatal) when you try to start apache and doesn’t in fact let you change the safety level.

Finally, it occurred to me to poke around in the source for mod_ruby, and it turns out that in mod_ruby.h, there’s a line reading “#define MR_DEFAULT_SAFE_LEVEL 1.” If you change that level to 0 and recompile (and maybe restart apache), the nasty safety error messages go away and Ruby on Rails will run. There are probably better, less security-worrisome ways of managing this, but I’m on a deadline, and this’ll have to do for now.

One thought on “Ruby on Rails and SafeLevel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s