On Thu, Aug 22, 2013 at 9:16 AM, Jeroen Demeyer <jdeme...@cage.ugent.be> wrote: > On 2013-08-22 17:57, Jason Grout wrote: >> >> That's a good question. There are some serious security issues opened >> up for a user by running a cell server (because it doesn't have accounts >> and authentication). What are your thoughts about the wisdom of putting >> it into Sage by default from a security perspective? > > I don't think it should be less secure than the Sage Notebook, right?
Jason, correct me if I'm wrong, but I think the Sage cell server is by design **dramatically** less secure than the Sage Notebook in the context of this discussion (being used by individuals). Last I checked, the Sage notebook: (1) on first use, forces the uses to select a new password that is required to connect (as admin) from localhost, and uses a random url token when popping up the browser (to avoid needing the password). (2) by default only opens a server on localhost, (3) by default disables account creation. (4) optionally provides ssl support for encrypting the connection, in case you want to serve more generally than localhost. In contrast, the Sage cell server by design: (1) has no notion of authentication, accounts, or passwords. (2) allows arbitrary code execution by anybody who can connect to the network the server runs on. If a user X has exactly one account on a multi-user Unix machine somewhere, there is *no possible way* they could run the Sage cell server in a way that isn't as insecure as humanly possible. Anybody with access to the network port that the server is opened on (even localhost) could trivially "rm -rf" all files from the account, change arbitrary code in the server and restart it (to harvest passwords), etc. William -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/groups/opt_out.
