Until there is a solid exploit for the Sage notebook I don't think this is a big deal. The public notebooks are not ran with superuser privileges. If I remember right one has to use a process with superuser privileges and make it pawn a new jail.
It is already for someone to make any public worksheet undownloadable. I can't find the e-mail where I wrote a basic report about it. On 10/5/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > This was posted to slashdot sometime last week: > > http://kerneltrap.org/Linux/Abusing_chroot > > The gist: root can trivially break out of the chroot "jail" -- and is then > the superuser on the system. I'm not a security expert, but this sounds only > locking the driver's door of a car, and leaving a key on the dash: if a user > can escalate to root in the jail, they root the box. > > Another slashdot article today made me think about this again: > > http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723 > > Sure, windows is insecure. But n00bs like me doing security is insecure no > matter what operating system they use. If the notebook isn't secure, and > Sage achieves the BDFL's primary goal, then we'll become a major contributor > to the online efforts of organized crime and spam. > > So: what can we use instead? VMWare? UML? SELinux in VMWare running under > UML? Or, will we have to stop executing arbitrary code by unknown public > entities again? (I really hate the last option) > > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
