#12902: Security in Notebook
----------------------------+-----------------------------------------------
Reporter: jcatumba | Owner: jason, mpatel, was
Type: defect | Status: new
Priority: trivial | Milestone: sage-duplicate/invalid/wontfix
Component: notebook | Resolution:
Keywords: security | Work issues:
Report Upstream: N/A | Reviewers:
Authors: | Merged in:
Dependencies: | Stopgaps:
----------------------------+-----------------------------------------------
Changes (by nbruin):
* priority: critical => trivial
* milestone: sage-5.1 => sage-duplicate/invalid/wontfix
Comment:
It's a feature (on sagenb.org):
{{{
%sh
whoami
pwd
echo $HOME
}}}
{{{
/tmp/tmpaHCfFv
sagenbws
/tmp/tmpaHCfFv
/sagenb/sagenbws
}}}
It is important to realize that once someone logs in to a sage notebook
server, the person essentially has shell access to the machine, with the
permissions associated to the UID that is configured to run the worker
process for the worksheet. It is up to the notebook administrator to use
the standard unix permission management tool to lock down that UID to a
degree acceptable for the purpose.
It's tricky to do this correctly, because exposing shell access to a
machine provides such a large attack surface that it is difficult to
protect it appropriately. One way to mitigate the problem is by running
the worker processes in a dedicated virtual machine. That contains the
consequences a bit:
http://wiki.sagemath.org/SageAppliance
Setting up servers:
http://wiki.sagemath.org/DanDrake/JustEnoughSageServer
http://wiki.sagemath.org/SageServer
If you don't trust people accessing your machine, don't run a notebook
server on it that gives them access.
If your web interface is going to be globally accessible, I suspect that
running it will not be in accordance with your Matlab license, by the way.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/12902#comment:1>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
