mabshoff wrote:
> On Sep 24, 12:22 am, Maike <[EMAIL PROTECTED]> wrote:
>
> Hi Maike,
>
>> We'd like to set up a sage server allowing different users to see,
>> copy and edit our published worksheets. However, this allows users to
>> execute arbitrary system calls, e.g.> os.popen("ps auxw").read()
>
> Yes, any account on a Notebook server hands the user a shell, so you
> either trust them or you secure the server itself.
>
>> The formatting of the output is not perfect, but still, this is a
>> problem!
>>
>> I'd be grateful for any suggestions on how to set up a SECURE sage
>> server. If this has been covered elsewhere, just post the link...
>
> There are a couple possibilities:
>
> a) a chroot jail
> b) a VMWare image (or some other kind of virtualization)
> c) SELinux, potentially in combination with (a)
>
> None of the above is simple and securing a server so that it runs with
> SELinux is difficult. There is no documentation on how to do this yet.
> I would favor (b), frequent backups of the Sage notebook data and some
> intrusion detection system in the notebook in addition to keeping
> kernel and all the other components current to avoid break ins. Since
> you are running a VMware image it is easily resettable and the
> likelyhood of breaking out of the VMWare image is relatively small. So
> should you have somebody break into your box it is much easier to
> reset an image than the server. If you come up with something we would
> definitely like to hear about it.
>
In case virtualbox is your preference, I have almost finished a
virtualbox image which tries to mirror the current vmware image too, but
is based on ubuntu jeos and is a little more locked down (e.g., no
default ssh server is running).
Thanks,
Jason
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---
