On Apr 1, 2010, at 6:04 PM, TianWei wrote:
The "sh" option in the sage notebook allows anyone to access the
command-line shell on the sage server. This grants users access to any
directory on the server, including configuration settings, etc. Even
on the "Try Sage Online" link on the main page (www.sagenb.org) lets
users do this.
This is a potential security hole for all sage servers.
(The "sh" option I'm talking about is in the drop-down menu that
selects the backend to process user commands, such as sage, maxima, r,
gap, gp, python, and so on)
Letting users run arbitrary Python commands (the default) is just as
dangerous, e.g. anything one can do from the shell one can do with
os.system(). This is a well-known potential vulnerability and should
always be mitigated via other means (e.g. only letting trusted users
use the server, granting the worksheet processes limited privileges,
and/or running the whole thing inside a jail/zone/virtual machine).
- Robert
--
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to
sage-support+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/sage-support
URL: http://www.sagemath.org
To unsubscribe, reply using "remove me" as the subject.
