What happens if signals aren't expressed as Ruby symbols?

OSC / nginx_stage

[MOVED] Stages & controls the per-user NGINX environment

https://github.com/OSC/ondemand/tree/master/nginx_stage

MIT License

0 stars 1 forks source link

What happens if signals aren't expressed as Ruby symbols? #7

Closed basilgohar closed 8 years ago

basilgohar commented 8 years ago

# White-list of signals that can be sent to the NGINX process, must be
# expressed as Ruby symbols
#
#nginx_signals:
#  - :stop
#  - :quit
#  - :reopen
#  - :reload

I realize this is in a configuration file, but what can happen if they express these differently? What if they put arbitrary "code" in here – will it get executed, or is there some form of checking when these are passed-in?

nickjer commented 8 years ago

Ran quick experiment and it seems they can get away with just regular strings, so I can probably remove the part about "Ruby symbols" in the comments.

As for the arbitrary code, I believe when Ruby loads a YAML file it can run some arbitrary code used for creating objects. But as root owns both the config and the actual code, if root was malicious it would be easier to alter the actual code instead. This is the same as running arbitrary Lua code in the Apache config.