diff options
Diffstat (limited to 'doc/security.rdoc')
-rw-r--r-- | doc/security.rdoc | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/doc/security.rdoc b/doc/security.rdoc index 2cf6531785..d552f9876c 100644 --- a/doc/security.rdoc +++ b/doc/security.rdoc @@ -21,12 +21,7 @@ Ruby provides a mechanism to restrict what operations can be performed by Ruby code in the form of the <code>$SAFE</code> variable. However, <code>$SAFE</code> does not provide a secure environment for executing -untrusted code even at its maximum level of +4+. <code>$SAFE</code> is -inherently flawed as a security mechanism, as it relies on every unsafe -operation performed by any C method to be guarded by a <code>$SAFE</code> -check. If this check is ever missed, the entire security of the system is -compromised. <code>$SAFE</code> also does not offer any protection against -denial of service attacks. +untrusted code. If you need to execute untrusted code, you should use an operating system level sandboxing mechanism. On Linux, ptrace or LXC can be used to sandbox |