|
|
|
|
|
|
by Xylakant
4880 days ago
|
|
|
It's more standard to have rails apps run under a dedicated and lower privileged user than not. It's also a common option to use vendored dependencies for a variety of reasons: You (a) avoid conflicts with other installed gems on the system and (b) don't need elevated privileges to install the app. But let's not just talk about rails: There's a ton of tools that use ruby to manage stuff, some of them running as root by default - both chef and puppet are written in ruby and sometimes distributed as gems. In any case, they use gems. So all it needs is to have one binary exploited to start a shell and then you have an entry point from where you can escalate privileges and obtain root. So if you don't trust rubygems you can't install anything in ruby. |
|
|