On Oct 5, 9:45 pm, Robert Bradshaw <[EMAIL PROTECTED]>
wrote:
> I'm not an expert on this, but there are other "jails" than chroot
> that are actually meant for security that one might want to look
> into. BSD has some jail stuff if I recall correctly.
>
> I don't think PyPy would work, given the ability to use compiled code
> from SAGE. (SAGE might not even run under PyPy due to all the Cython
> code).
>
> It should be noted that one requires a local privilege escalation to
> break out of chroot (though those are certainly not unheard of).
The problem is that admins don't take local privilege escalation
seriously, but just look lkml or some security related list and check
out the uptime on your box. Chances are that you are in trouble. On
top of that Sage offers the capability to compile code from the
notebook and that is just like painting a big red bull's eyes on your
back. As stated above chroot is not a security tool and once you are
root even in chroot things are basically over. I have conjectured that
access to a shell account + time results in root as long as you pay
attention. Having a kernel patched against all known local privilege
escalation has saved me on more than on one occasion when servers I
did administrated got hit by some 0-day exploit via php/Apache/you
name it.
And since XEN and all over virtualisation solutions have bugs, too, it
is very hard to keep a bix with shell access secure. For a really
amusing bug about XEN and priviledge escalation see
http://secwatch.org/advisories/1019097/
Cheers,
Michael
>
> - Robert
>
> On Oct 5, 2007, at 12:14 PM, Juan M. Bello Rivas wrote:
>
> > Hi,
>
> > On Fri, Oct 05, 2007 at 11:45:46AM -0700, [EMAIL PROTECTED]
> > wrote:
> >> So: what can we use instead? VMWare? UML? SELinux in VMWare
> >> running under UML? Or, will we have to stop executing arbitrary
> >> code by unknown public entities again? (I really hate the last
> >> option)
>
> > Using Pypy's sandboxing capabilities might be an option (I haven't
> > tried this myself):
>
> >http://codespeak.net/pypy
> >http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
>
> > --
> > Juan M. Bello Rivas
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
