On 2 Kwi, 03:23, Robert Bradshaw <rober...@math.washington.edu> wrote: > On Apr 1, 2010, at 6:04 PM, TianWei wrote: > > > The "sh" option in the sage notebook allows anyone to access the > > command-line shell on the sage server. This grants users access to any > > directory on the server, including configuration settings, etc. Even > > on the "Try Sage Online" link on the main page (www.sagenb.org) lets > > users do this. > > > This is a potential security hole for all sage servers. > > > (The "sh" option I'm talking about is in the drop-down menu that > > selects the backend to process user commands, such as sage, maxima, r, > > gap, gp, python, and so on) > > Letting users run arbitrary Python commands (the default) is just as > dangerous, e.g. anything one can do from the shell one can do with > os.system(). This is a well-known potential vulnerability and should > always be mitigated via other means (e.g. only letting trusted users > use the server, granting the worksheet processes limited privileges, > and/or running the whole thing inside a jail/zone/virtual machine). > > - Robert It would be great if it would be possible to run sage in SELinux, with his own domain... Regards Kazek
-- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org To unsubscribe, reply using "remove me" as the subject.
