On Sun, Jun 7, 2009 at 10:31 AM, Yoav Aner<y...@gingerlime.com> wrote: > I'm guessing the answer is no, but are there any high or lower level > diagrams to help understand the architecture (e.g. server pool > processes, OS processes, web front-end and their interfaces etc, how > it all sits together)?
No. > I mean other than going through the code? There is no real documentation beyond just going through the code. Almost all relevant code is in devel/sage/sage/server/notebook. > I'll > start looking at the code Martin and Robert mentioned though. That's > already of great help! > > Regarding working out the security threats / vulnerabilities / > scenarios - I think it's important to try to separate common > vulnerabilities from sage/notebook specific ones. Booting from a CD > and gaining direct access to the filesystem which Dave mentioned, or > accessing localhost sockets which Robert referred to are not less > important, but generic concerns tend to have generic solutions or > approaches. However, Sage/Notebook specific vulnerabilities, which are > inherent to the way Sage was designed and built and from the > functionality it provides, would perhaps be of more interest / > challenge to solve. I hope that this project can bring more 'value' by > trying to address those. Having said that, some time the biggest > 'value for money' can be gained by something as simple as changing a > default parameter, even if it's something trivial like setting a > process to listen on 127.0.0.1:80 instead of 0.0.0.0:80. I would > certainly want to consider all threats, generic or otherwise. > > Thanks again for your replies. I'll try to figure out more on my own > now, and come back with more specific questions. > > Yoav > p.s hopefully more people would share their thoughts so this thread > isn't dead yet... > > > -- William Stein Associate Professor of Mathematics University of Washington http://wstein.org --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
