> Actually, I'd be fine with people having to wait after registering until
> their registration is approved by a person (e.g., me). I mean, giving
> people 100% shell access for free to a powerful computer running
> a lot of software is something worth waiting an hour for. The same
> would likel
On 6/27/07, Nick Alexander <[EMAIL PROTECTED]> wrote:
> >> No, there's an eval. In the context of SAGE, the eval is more useful
> >> than the (defensible, correct) IPython behaviour.
> >
> > FYI, I'm definitely *not* opposed to having an eval like Fernando is.
> > Thanks for your patch!!
>
> Hi W
> Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually
> creating a UNIX user per notebook user? This way we wouldn't have to fiddle
> with permissions but everything is secured by the trustworthy UNIX user
> model?
+1
--~--~-~--~~~---~--~---
On 6/27/07, Nils Bruin <[EMAIL PROTECTED]> wrote:
> > I'm a little worried about creating new accounts for each user, just because
> > that means the Notebook server has to have the ability to create new
> > accounts,
> > which is probably a pretty serious ability to have. But I suppose sudo
>
On Jun 27, 1:57 pm, "William Stein" <[EMAIL PROTECTED]> wrote:
> I'm a little worried about creating new accounts for each user, just because
> that means the Notebook server has to have the ability to create new accounts,
> which is probably a pretty serious ability to have. But I suppose sudo
On 6/27/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually
> creating a UNIX user per notebook user? This way we wouldn't have to fiddle
> with permissions but everything is secured by the trustworthy UNIX user
> model?
>
> No, you're right, sort of. You haven't vandalized it, you've denial of
> serviced it temporarily, in that everybody else's sessions will be
> automatically restarted. I should probably map each user to
> a single one of those 30 login names, so they can at most every
> vandalize 1/30 of the o
On Jun 27, 2007, at 12:05 PM, didier deshommes wrote:
> On 6/22/07, William Stein <[EMAIL PROTECTED]> wrote:
>> Could you say something about the fact that currently there is no way
>> to uninstall
>> a SAGE package, since we don't track what files are actually
>> installed. That said,
>> we de
On 6/27/07, didier deshommes <[EMAIL PROTECTED]> wrote:
> It's mostly painless to remove a package if:
> -- you know where all its files are. Most of them are in
> SAGE_ROOT/local/include/ and SAGE_ROOT/local/lib/ . It's pretty to
> figure out what goes where from the spkg-install script.
> -- you
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
> wrote:
> > The turning off net access all together for notebook is users is not a
> > good idea, because there is database stuff in SAGE that uses web sites
> > such as Sloane's database.
>
On 6/22/07, William Stein <[EMAIL PROTECTED]> wrote:
> Could you say something about the fact that currently there is no way
> to uninstall
> a SAGE package, since we don't track what files are actually
> installed. That said,
> we definitely *could* implement something simple that stores a list o
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
>
> After some deliberation I think that the issues I pointed out
> in my last mail have not much
> to do with the notebook but rather with the implementation of
> the chroot jail. The only genuine issue is that the notebook server
> should not create
On 6/27/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> We cannot rely on DoS prevention systems elsewhere if the notebook is used for
> a denial of service attack it is William's responsibility.
>
> Thus, I vote for a heavily firewalled chroot:
> * do all the anti-spoof, packet scrubbing stuff
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
> wrote:
> > The turning off net access all together for notebook is users is not a
> > good idea, because there is database stuff in SAGE that uses web sites
> > such as Sloane's database.
>
> I'm going to guess you have an eval() somewhere in there for this to
> work. If not, just ignore the rest of this message and send me the
> patch for ipython itself :)
No, there's an eval. In the context of SAGE, the eval is more useful
than the (defensible, correct) IPython behaviour.
> It'
On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
wrote:
> The turning off net access all together for notebook is users is not a
> good idea, because there is database stuff in SAGE that uses web sites
> such as Sloane's database.
Good point! But the firewall could be configured to al
would u like to fuck my ass
On 6/17/07, Michel <[EMAIL PROTECTED]> wrote:
>
>
> Everything working here! I look forward to the new security measures
> to do some real testing:-)
>
> Regards,
> Michel
>
> On Jun 16, 10:40 pm, "William Stein" <[EMAIL PROTECTED]> wrote:
> > On 6/16/07, Timothy Cleman
On Wednesday 27 June 2007 11:24, Timothy Clemans wrote:
> The turning off net access all together for notebook is users is not a
> good idea, because there is database stuff in SAGE that uses web sites
> such as Sloane's database. There is a lot of detection software out
> there, so I don't think
After some deliberation I think that the issues I pointed out
in my last mail have not much
to do with the notebook but rather with the implementation of
the chroot jail. The only genuine issue is that the notebook server
should not create world readable files.
And if I read Timothy's code correc
Someone or something just broke SAGE Notebook 8102. I'm getting
"Internal Server Error" on all worksheets in multiple accounts expect
for the public ones. I've been up all trying to end the game for all
the other sage unix users.
On 6/27/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:
> The turnin
The turning off net access all together for notebook is users is not a
good idea, because there is database stuff in SAGE that uses web sites
such as Sloane's database. There is a lot of detection software out
there, so I don't think net access needs to be stopped altogether.
On 6/27/07, Michel <
So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at oth
I changed my code to the following and got no errors just 0 on one
line then 5 then 0 then 5:
import re
import pexpect
import os
for h in range(1,31):
pipe = os.popen('{ ' + 'whoami' + '; } 2>&1', 'r')
m = pipe.read()
sts = pipe.close()
if str(h) != m:
child = pexpect.spawn('su
I tried killing all the other SAGE processes.
import re
import pexpect
import os
for h in range(1,31):
if h != 19:
child = pexpect.spawn('su sage%d' % h)
child.expect('Password:')
child.sendline('sage')
pipe = os.popen('{ ' + 'ps' + '; } 2>&1', 'r')
g =
So the notebook processes are executing the actual sage commands?
What is then the "notebook server"?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
au
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> Doing
>
> sage: import os
> sage: os.system('whoami')
> sage10
> sage: os.system("kill -9 `ps -u sage10 -o pid=`")
>
> still seemed to throw me out.
>
> Connection to localhost closed by remote host.
> Connection to localhost closed.
>
> Is that expe
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system("kill -9 `ps -u sage10 -o pid=`")
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection
Hi,
SUMMARY: I've made the public SAGE notebook servers
nontrivial to seriously vandalize or kill... I hope. Try to
crack them (especially https://sage.math.washington.edu:8102).
DETAILS:
For the first time in history I've finally setup a first
not totally-insanely-trivial-to-vandalize server
That is not an example of XSS in the notebook. That's an example of you
passing garbage into the notebook, and getting garbage back. XSS is where
Martin puts malicious javascript into a published worksheet, and steals all
your cookies. This is a known vulnerability. Keep looking... and mayb
29 matches
Mail list logo
