On 10/16/07, Robert Bradshaw <[EMAIL PROTECTED]> wrote: > > The public notebook servers on sage.math.washington.edu are jailed > > (http://sagemath.org/doc/html/inst/node10.html). Also there is a pool > > of 30 unix users that are used to evaluate worksheet code. That > > protects the main notebook system from a random user. Ulimit is also > > used. > > > > If I remember right William welcomes people to try to vandalize the > > notebook server at https://sage.math.washington.edu:8102
No I don't! Basically, the situation with the public notebooks is that they will remain up as a sort of "public service" until somebody actually visibly vandalizes them, or uses them for nefarious purposes that are noticed and reported to me, at which time they will be taken down indefinitely. At that point I'll replace them by a closed notebook that only people I explicitly give accounts to will have access to. They have been "open" now for about 18 months -- it surprises me that I haven't had to switch to a closed system yet. > I don't think vandalization is explicitly encouraged, however we > would love to have feedback on how to make the current setup more > secure. Making the python interpreter environment secure (e.g. > disabling/remapping os.system) without crippling SAGE is probably an > intractable problem, but running SAGE sessions with limited users > with limited ulimit and permissions, and running the entire process > in a jail, can serve to mitigate the problem. Which is exactly what we do. > You are right in pointing out that the SAGE server is not completely > secure, and it would be great if you could help us secure it further. Yes, I agree. I also agree that making the SAGE notebook server "100% secure" while allowing arbitrary people to sign up for accounts with no accountability is a completely unsolvable problem. That said, ideas for making it "more secure" without making it impossibly hard to use, are always appreciated. William --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
