I am running a bit of code that looks like this:
result = system("ruby " + filename_random_ruby_script)
if result
save_to_disk(random_ruby_script)
else
# Do Nothing
end
The variable "random_ruby_script" represents any .rb file.
This code is the first of many calls to system() and runs a ruby file that may also contain calls to system(), disk reads/writes, HTTP requests, and so on.
The ruby file must be run to find out what it does, but it might try to read/write/execute something other than itself and I don't want it deleting my HDD or posting lewd tweets.
I want to make a space where this program can run with no permission to write/execute anything in it's parent directories, but access to read anything locally and via any network protocol.
I also want to know if it tries to write/execute anything locally or on the net.
There is probably a gem or software that does something similar, but I am very green to sand-boxing my code, so pretty much any suggestion will be helpful.
Use safe level and don't run the script with system
http://ruby-doc.org/docs/ProgrammingRuby/html/taint.html
This was used, for instance, in the old github gem builder (gemspecs being normal executable ruby code).