So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at other people's worksheets.
The default file creation permissions should be changed I think.
(2) It seems the notebook users cannot naively write to the file
system.
But they can write to /tmp. What policy do you want to implement here?
(3) The notebook users seem to have internet access so they could
execute
denial of service attacks against other computers. Shouldn't internet
access
for notebook users be turned off by default?
Michel
On Jun 27, 10:25 am, Michel <[EMAIL PROTECTED]> wrote:
> So the notebook processes are executing the actual sage commands?
> What is then the "notebook server"?. Is it just the webserver?
>
> This seems indeed quite secure provided the server never executes code
> somehow
> under control of the user.
>
> Note: I still think notebook processes should be restarted
> automatically (or on demand).
> Having to push "restart" when you log in is confusing.
>
> Michel
>
> On Jun 27, 9:56 am, "William Stein" <[EMAIL PROTECTED]> wrote:
>
> > On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
>
> > > Doing
>
> > > sage: import os
> > > sage: os.system('whoami')
> > > sage10
> > > sage: os.system("kill -9 `ps -u sage10 -o pid=`")
>
> > > still seemed to throw me out.
>
> > > Connection to localhost closed by remote host.
> > > Connection to localhost closed.
>
> > > Is that expected? Logging out and in again did not seem to restore
> > > my connection.
>
> > Hi, the three sage notebooks are still working fine for me.
> > All what you did above does is kill the SAGE worksheet process
> > for your individual worksheet -- I.e., you shot your own user in
> > the foot. It shouldn't (and doesn't) affect the overall
> > SAGE notebook server in any nontrivial way, as far as I can tell.
>
> > William
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
