On 8/22/13 11:32 AM, William Stein wrote:
On Thu, Aug 22, 2013 at 9:16 AM, Jeroen Demeyer <jdeme...@cage.ugent.be> wrote:
On 2013-08-22 17:57, Jason Grout wrote:
That's a good question. There are some serious security issues opened
up for a user by running a cell server (because it doesn't have accounts
and authentication). What are your thoughts about the wisdom of putting
it into Sage by default from a security perspective?
I don't think it should be less secure than the Sage Notebook, right?
Jason, correct me if I'm wrong, but I think the Sage cell server is by
design **dramatically** less secure than the Sage Notebook in the
context of this discussion (being used by individuals). Last I
checked, the Sage notebook:
(1) on first use, forces the uses to select a new password that is
required to connect (as admin) from localhost, and uses a random url
token when popping up the browser (to avoid needing the password).
(2) by default only opens a server on localhost,
(3) by default disables account creation.
(4) optionally provides ssl support for encrypting the connection,
in case you want to serve more generally than localhost.
In contrast, the Sage cell server by design:
(1) has no notion of authentication, accounts, or passwords.
(2) allows arbitrary code execution by anybody who can connect to
the network the server runs on.
If a user X has exactly one account on a multi-user Unix machine
somewhere, there is *no possible way* they could run the Sage cell
server in a way that isn't as insecure as humanly possible. Anybody
with access to the network port that the server is opened on (even
localhost) could trivially "rm -rf" all files from the account, change
arbitrary code in the server and restart it (to harvest passwords),
etc.
William, that's an excellent summary of my reservations. And there's
one more---if it comes with Sage as a standard component, then it
becomes very easy for any user on a system where it is installed
system-wide to open the system up accidentally (because it's not secure
by default). I know I wouldn't want it installed on a system-wide Sage
on a multi-user computer I administer.
I think the best way to distribute a runnable cell server is as a
virtual machine image. At least then it is sandboxed into a virtual
machine where someone has seriously considered the security implications.
Of course, people are still welcome to download it and install it, and
when we transition to git, it should again be as easy as doing "sage -i
sagecell". But distributing it by default with the standard Sage is a
different story. It's like bundling a free AK47 with your next grocery
store purchase. In the right hands, with proper training and
motivation, the AK47 can be great, but there's going to be a *lot* more
people shooting themselves in the foot when they get the idea that it's
as safe as their dinner.
By drastically lowering the barrier for the users (which was the goal),
I think the safety tradeoffs imply that we really should raise the bar
on the administrators. And requiring someone to do "sage -i sagecell"
isn't raising it terribly high, but it is making them at least think
about it a bit.
Thanks,
Jason
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/groups/opt_out.
