The turning off net access all together for notebook is users is not a
good idea, because there is database stuff in SAGE that uses web sites
such as Sloane's database. There is a lot of detection software out
there, so I don't think net access needs to be stopped altogether.
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
>
> So far everything looks good. For serious testing one would need the
> source
> of the notebook.
>
> Here are some points.
>
> (1) Practically the whole (chroot)filesystem seems to be readable for
> the notebook users.
>
> (a) I could even read a backup file of /etc/shadow (/etc/shadow-).
> (b) I could look at other people's worksheets.
>
> The default file creation permissions should be changed I think.
>
> (2) It seems the notebook users cannot naively write to the file
> system.
> But they can write to /tmp. What policy do you want to implement here?
>
> (3) The notebook users seem to have internet access so they could
> execute
> denial of service attacks against other computers. Shouldn't internet
> access
> for notebook users be turned off by default?
>
> Michel
>
>
> On Jun 27, 10:25 am, Michel <[EMAIL PROTECTED]> wrote:
> > So the notebook processes are executing the actual sage commands?
> > What is then the "notebook server"?. Is it just the webserver?
> >
> > This seems indeed quite secure provided the server never executes code
> > somehow
> > under control of the user.
> >
> > Note: I still think notebook processes should be restarted
> > automatically (or on demand).
> > Having to push "restart" when you log in is confusing.
> >
> > Michel
> >
> > On Jun 27, 9:56 am, "William Stein" <[EMAIL PROTECTED]> wrote:
> >
> > > On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> >
> > > > Doing
> >
> > > > sage: import os
> > > > sage: os.system('whoami')
> > > > sage10
> > > > sage: os.system("kill -9 `ps -u sage10 -o pid=`")
> >
> > > > still seemed to throw me out.
> >
> > > > Connection to localhost closed by remote host.
> > > > Connection to localhost closed.
> >
> > > > Is that expected? Logging out and in again did not seem to restore
> > > > my connection.
> >
> > > Hi, the three sage notebooks are still working fine for me.
> > > All what you did above does is kill the SAGE worksheet process
> > > for your individual worksheet -- I.e., you shot your own user in
> > > the foot. It shouldn't (and doesn't) affect the overall
> > > SAGE notebook server in any nontrivial way, as far as I can tell.
> >
> > > William
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
