[sage-devel] Re: SAGE notebook 2
That is not an example of XSS in the notebook. That's an example of you
passing garbage into the notebook, and getting garbage back. XSS is where
Martin puts malicious javascript into a published worksheet, and steals all
your cookies. This is a known vulnerability. Keep looking... and maybe try
working on a solution to the problem.
On Tue, 26 Jun 2007, Timothy Clemans wrote:
An example of XSS in the notebook is that someone could make an
account name that has html and javascript (I know this works with my
copy of the notebook) and then just publish worksheets. For example on
a local notebook I made an account called h1mark/h1 and then
forced a failed login page for invalid username and I saw mark in
big letters. There is a lot of crap I could do right now on the
published page this way. I made the username: div
style=position:fixed; top:0; right:0; bottom:0; left:0;
background:#FFF;HI/div and I get a keyerror in the log when I
tried logging as that, but the invalid username failed login page is
white with the word Hi. When I renamed one of my worksheets as that
I get a blank page with the word Hi. When I publish that page it
just messes up the title listing for it but doesn't make the page
blank. I've played a little with that and haven't been able to blank
the published page.
On 6/26/07, Hamptonio [EMAIL PROTECTED] wrote:
Hi,
I am getting some funny errors now on the new notebook. In fact, the
first thing I tried failed, defining the following ring:
R7grev.w,r12,r13,r23,m1,m2,m3 = MPolynomialRing(QQ,7,order =
degrevlex)
gives the errors:
./t: line 2: syntax error near unexpected token `('
./t: line 2: `R7grev.w,r12,r13,r23,m1,m2,m3 =
MPolynomialRing(QQ,7,order = degrevlex)'
I get similar errors on simpler definitions too.
Cheers,
Marshall
On Jun 26, 1:35 am, William Stein [EMAIL PROTECTED] wrote:
Hi,
I fixed a number of issues with the notebook (see changelog below) and
just made the changed version live. If you're closing following this
thread,
please let me know if anything seems seriously broken as a result (I'm
suffering
from the lack of a unit testing framework for the notebook -- help, Yi!).
-- William
---
changeset: 5127:5c77fa34a543
tag: tip
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:20:29 2007 -0700
summary: make changing evaluation system much clearer
changeset: 5126:659b25b295df
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:06:37 2007 -0700
summary: Unified the save button in text edit mode.
changeset: 5125:5138ee7b363b
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:54:02 2007 -0700
summary: tiny fixes for some possible security problems
changeset: 5124:550f2062e641
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:47:43 2007 -0700
summary: Add download link for published worksheets.
changeset: 5123:2b6c13c613e6
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:40:26 2007 -0700
summary: Added 0 as a possible rating and user comments in ratings.
changeset: 5122:0cb80f3e387f
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:48:49 2007 -0700
summary: fix output bug and error in revisions.
changeset: 5121:ed788cc5989d
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:46:17 2007 -0700
summary: SAGE Notebook: Fix large output link.
changeset: 5120:172b14df6514
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:27:05 2007 -0700
summary: Get rid of insane stupid global username variable in
twist.py, which was just there
to get the ball rolling.
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Hi, SUMMARY: I've made the public SAGE notebook servers nontrivial to seriously vandalize or kill... I hope. Try to crack them (especially https://sage.math.washington.edu:8102). DETAILS: For the first time in history I've finally setup a first not totally-insanely-trivial-to-vandalize server in the chroot jail on sage.math. In fact all three servers: https://sage.math.washington.edu:8100 https://sage.math.washington.edu:8101 https://sage.math.washington.edu:8102 --- please hack me. are so configured. What happens is that each user worksheet runs as a separate user from the notebook server itself. In fact, there is a rotating pool of 30 worksheet users. It should now be *extremely* difficult for a user of the notebook to kill the notebook process itself, or delete vital user data. So, for the first time ever, I invite you to please try to see if you can kill the notebook server. Let's restrict the attacks to the one on port 8102. See if you break it by running malicious commands in a worksheet. NOTE: It is, of course, trivial to denial-of-service sage.math by just running lots and lots of processes at once. Please don't do that. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Michel
On Jun 27, 9:39 am, William Stein [EMAIL PROTECTED] wrote:
Hi,
SUMMARY: I've made the public SAGE notebook servers
nontrivial to seriously vandalize or kill... I hope. Try to
crack them (especiallyhttps://sage.math.washington.edu:8102).
DETAILS:
For the first time in history I've finally setup a first
not totally-insanely-trivial-to-vandalize server in
the chroot jail on sage.math. In fact all three
servers:
https://sage.math.washington.edu:8100
https://sage.math.washington.edu:8101
https://sage.math.washington.edu:8102 --- please hack me.
are so configured.
What happens is that each user worksheet runs as a separate
user from the notebook server itself. In fact, there is a rotating
pool of 30 worksheet users. It should now be *extremely* difficult
for a user of the notebook to kill the notebook process itself,
or delete vital user data.
So, for the first time ever, I invite you to please try to see if you
can kill the
notebook server. Let's restrict the attacks to the one on port 8102.
See if you break it by running malicious commands in a worksheet.
NOTE: It is, of course, trivial to denial-of-service sage.math by just
running lots
and lots of processes at once. Please don't do that.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
I tried killing all the other SAGE processes.
import re
import pexpect
import os
for h in range(1,31):
if h != 19:
child = pexpect.spawn('su sage%d' % h)
child.expect('Password:')
child.sendline('sage')
pipe = os.popen('{ ' + 'ps' + '; } 21', 'r')
g = pipe.read()
sts = pipe.close()
findpro = re.compile('\d{5}')
j = findpro.findall(g)
for i in j:
os.system('kill %s' % i)
I tried to protect myself but got Connection to localhost closed.
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
I changed my code to the following and got no errors just 0 on one
line then 5 then 0 then 5:
import re
import pexpect
import os
for h in range(1,31):
pipe = os.popen('{ ' + 'whoami' + '; } 21', 'r')
m = pipe.read()
sts = pipe.close()
if str(h) != m:
child = pexpect.spawn('su sage%s' % h)
child.expect('Password:')
child.sendline('sage')
pipe = os.popen('{ ' + 'ps' + '; } 21', 'r')
g = pipe.read()
sts = pipe.close()
findpro = re.compile('\d{5}')
j = findpro.findall(g)
for i in j[1:len(j)]:
os.system('kill %s' % i)
os.system('exit')
On 6/27/07, Timothy Clemans [EMAIL PROTECTED] wrote:
I tried killing all the other SAGE processes.
import re
import pexpect
import os
for h in range(1,31):
if h != 19:
child = pexpect.spawn('su sage%d' % h)
child.expect('Password:')
child.sendline('sage')
pipe = os.popen('{ ' + 'ps' + '; } 21', 'r')
g = pipe.read()
sts = pipe.close()
findpro = re.compile('\d{5}')
j = findpro.findall(g)
for i in j:
os.system('kill %s' % i)
I tried to protect myself but got Connection to localhost closed.
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at other people's worksheets.
The default file creation permissions should be changed I think.
(2) It seems the notebook users cannot naively write to the file
system.
But they can write to /tmp. What policy do you want to implement here?
(3) The notebook users seem to have internet access so they could
execute
denial of service attacks against other computers. Shouldn't internet
access
for notebook users be turned off by default?
Michel
On Jun 27, 10:25 am, Michel [EMAIL PROTECTED] wrote:
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
The turning off net access all together for notebook is users is not a
good idea, because there is database stuff in SAGE that uses web sites
such as Sloane's database. There is a lot of detection software out
there, so I don't think net access needs to be stopped altogether.
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at other people's worksheets.
The default file creation permissions should be changed I think.
(2) It seems the notebook users cannot naively write to the file
system.
But they can write to /tmp. What policy do you want to implement here?
(3) The notebook users seem to have internet access so they could
execute
denial of service attacks against other computers. Shouldn't internet
access
for notebook users be turned off by default?
Michel
On Jun 27, 10:25 am, Michel [EMAIL PROTECTED] wrote:
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
After some deliberation I think that the issues I pointed out
in my last mail have not much
to do with the notebook but rather with the implementation of
the chroot jail. The only genuine issue is that the notebook server
should not create world readable files.
And if I read Timothy's code correctly the notebook users
sage** have easy to guess passwords which is also bad of
course!
Michel
On Jun 27, 11:20 am, Michel [EMAIL PROTECTED] wrote:
So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at other people's worksheets.
The default file creation permissions should be changed I think.
(2) It seems the notebook users cannot naively write to the file
system.
But they can write to /tmp. What policy do you want to implement here?
(3) The notebook users seem to have internet access so they could
execute
denial of service attacks against other computers. Shouldn't internet
access
for notebook users be turned off by default?
Michel
On Jun 27, 10:25 am, Michel [EMAIL PROTECTED] wrote:
So the notebook processes are executing the actual sage commands?
What is then the notebook server?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
automatically (or on demand).
Having to push restart when you log in is confusing.
Michel
On Jun 27, 9:56 am, William Stein [EMAIL PROTECTED] wrote:
On 6/27/07, Michel [EMAIL PROTECTED] wrote:
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system(kill -9 `ps -u sage10 -o pid=`)
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection.
Hi, the three sage notebooks are still working fine for me.
All what you did above does is kill the SAGE worksheet process
for your individual worksheet -- I.e., you shot your own user in
the foot. It shouldn't (and doesn't) affect the overall
SAGE notebook server in any nontrivial way, as far as I can tell.
William
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On Jun 27, 11:24 am, Timothy Clemans [EMAIL PROTECTED] wrote: The turning off net access all together for notebook is users is not a good idea, because there is database stuff in SAGE that uses web sites such as Sloane's database. Good point! But the firewall could be configured to allow only specific host access (which would of course still allow DOS attacks against those hosts) Anyway I realize this is not a sage issue but a firewall issue. Michel --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Michel [EMAIL PROTECTED] wrote: On Jun 27, 11:24 am, Timothy Clemans [EMAIL PROTECTED] wrote: The turning off net access all together for notebook is users is not a good idea, because there is database stuff in SAGE that uses web sites such as Sloane's database. Good point! But the firewall could be configured to allow only specific host access (which would of course still allow DOS attacks against those hosts) Anyway I realize this is not a sage issue but a firewall issue. Actually, it's not such a good point. The *public* sage notebook should indeed not allow any outgoing internet connections, e.g., the sloane stuff etc (and there is not much etc there). It's my computer, and the notebook is free, so placing arbitrary limitations on the functionality is very much reasonable. I can have another notebook server with accounts-by-request-only, which will be much more open (i.e., people who get accounts on that would also be people I would normally give local shell accounts to, with all that entails). I've planned to implement a firewall strategy in the chroot jail exactly as Martin suggested, but this is for the future, due to lack of time. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Martin Albrecht [EMAIL PROTECTED] wrote: We cannot rely on DoS prevention systems elsewhere if the notebook is used for a denial of service attack it is William's responsibility. Thus, I vote for a heavily firewalled chroot: * do all the anti-spoof, packet scrubbing stuff * forbid any OUTGOING traffic * allow a WHITELIST of hosts:ports (like sloane's database and such) * allow DNS out (I'm afraid we have to do that) * forbid any INCOMING traffic * allow SSH in * allow the SAGE notebook communication in I agree with all this. Another thing: If I shoot myself in the foot 30 times (that is the number of users) I effectively vandalized the SAGE notebook? Ignore this if it doesn't make sense, I haven't actually tried to vandalize anything yet. No, you're right, sort of. You haven't vandalized it, you've denial of serviced it temporarily, in that everybody else's sessions will be automatically restarted. I should probably map each user to a single one of those 30 login names, so they can at most every vandalize 1/30 of the other users. Thoughts? Here 30 can be made arbitrarily large... william --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Michel [EMAIL PROTECTED] wrote: After some deliberation I think that the issues I pointed out in my last mail have not much to do with the notebook but rather with the implementation of the chroot jail. The only genuine issue is that the notebook server should not create world readable files. And if I read Timothy's code correctly the notebook users sage** have easy to guess passwords which is also bad of course! I don't know what Timothy thinks he is doing, since the sage** users have password login totally disabled: server4:$1$930823p9lENrsv$EHH6O8szVcckWIYXGRtVQ/:13685:0:9:7::: sage1:!:13685:0:9:7::: sage2:!:13691:0:9:7::: sage3:!:13691:0:9:7::: sage4:!:13691:0:9:7::: ... The server logs into each sagei account using ssh RSA keys, which are stored in /home/sage**/.ssh/authorized_keys I just fixed the permissions, so the sage** user can't mess up their own authorized_keys file. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Michel [EMAIL PROTECTED] wrote: On Jun 27, 11:24 am, Timothy Clemans [EMAIL PROTECTED] wrote: The turning off net access all together for notebook is users is not a good idea, because there is database stuff in SAGE that uses web sites such as Sloane's database. Good point! But the firewall could be configured to allow only specific host access (which would of course still allow DOS attacks against those hosts) Anyway I realize this is not a sage issue but a firewall issue. Actually, several of us have come to the conclusion that for a public SAGE server, one should think of a whole closed system, including the OS, firewall, linux etc, and not rely on sage itself. From this point of view -- which is the right one -- this DOS stuff, etc., is a SAGE issue. Optimally, we will be able to produce: * a live boot CD * a vmware image * a parallels virtural machine image * Xen? UML? * a premade chroot jail, or instructions and scripts for easily making one that all provide a robust and secure way for somebody to provide a public SAGE notebook that doesn't get easily vandalized or taken down and turned into a spam bot or worse in minutes. From this point of view, we are partly going to be making a customized Linux distribution. -- William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
No, you're right, sort of. You haven't vandalized it, you've denial of serviced it temporarily, in that everybody else's sessions will be automatically restarted. I should probably map each user to a single one of those 30 login names, so they can at most every vandalize 1/30 of the other users. Thoughts? Here 30 can be made arbitrarily large... Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually creating a UNIX user per notebook user? This way we wouldn't have to fiddle with permissions but everything is secured by the trustworthy UNIX user model? Signing up requires some effort (we could add a captcha as a Turing test) so I wouldn't expect the notebook to get millions of sign-ups per second. I am not aware that having many (100.000) logins on a system is like a Denial-of-Service (but I could be wrong here) and we might even remove all accounts that have been inactive for some time. To further motivate this: The SAGE notebook is a free shell on a remote machine (plus some math stuff :-)) with no prior checks whatsoever. So it should be secured like a real shell via the UNIX security model. Also, as William wants to count active notebook users as SAGE users (which I think is reasonable) we should make sure that the probability of some weird script kidding killing all your work is way below $number_of_tries * 1/30. Thoughts? Martin -- name: Martin Albrecht _pgp: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8EF0DC99 _www: http://www.informatik.uni-bremen.de/~malb _jab: [EMAIL PROTECTED] --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/27/07, Martin Albrecht [EMAIL PROTECTED] wrote: Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually creating a UNIX user per notebook user? This way we wouldn't have to fiddle with permissions but everything is secured by the trustworthy UNIX user model? Signing up requires some effort (we could add a captcha as a Turing test) so I wouldn't expect the notebook to get millions of sign-ups per second. I am not aware that having many (100.000) logins on a system is like a Denial-of-Service (but I could be wrong here) and we might even remove all accounts that have been inactive for some time. Actually, I'd be fine with people having to wait after registering until their registration is approved by a person (e.g., me). I mean, giving people 100% shell access for free to a powerful computer running a lot of software is something worth waiting an hour for. The same would likely go for a lot of other sys admins who would eventually run public SAGE notebook servers. To further motivate this: The SAGE notebook is a free shell on a remote machine (plus some math stuff :-)) with no prior checks whatsoever. So it should be secured like a real shell via the UNIX security model. Also, as I totally agree. William wants to count active notebook users as SAGE users (which I think is reasonable) we should make sure that the probability of some weird script kidding killing all your work is way below $number_of_tries * 1/30.= Yep. I'm a little worried about creating new accounts for each user, just because that means the Notebook server has to have the ability to create new accounts, which is probably a pretty serious ability to have. But I suppose sudo could give them just access to the adduser command and not much else. Actually, I sort of like this idea. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On Jun 27, 1:57 pm, William Stein [EMAIL PROTECTED] wrote: I'm a little worried about creating new accounts for each user, just because that means the Notebook server has to have the ability to create new accounts, which is probably a pretty serious ability to have. But I suppose sudo could give them just access to the adduser command and not much else. Actually, I sort of like this idea. William I understand that the ideas you are developing here are highly appropriate for an open notebook and are probably applicable to VMware'd systems too. However, the typical potential user doesn't have admin access themselves. It will be hard enough to convince system administrators to install software that listens on an outside port, but if that software can ALSO make new user accounts, it will probably be impossible (and otherwise the sysadmin should be fired) Please keep in mind there are other usage scenarios as well: - sage runs on a private machine, with essentially only one authorised login (think laptop) - sage runs on a workstation, with one main user but multiple people authorized to login (standard networked workstation) - sage runs on a rack server; multiple people are allowed to login and regularly do - prof wants to use sage as a teaching tool and for students to do assignments. Students are not very trusted, but the prof administering the sage system probably only has limited authority on the machine it runs on. Scenarios 1 through 3 would not necessarily be chrooted, because people using the notebook would normally have shell access anyway. The notebook could just listen on a local port and people can connect via ssh tunnels. It might even be desirable that, after authentication, I can access my own homedir files (makes for easy attaching editing of custom programs and allows me to communicate easily with normal - homedir centric software. On the other hand, sage su-ing to my uid would make me slightly uncomfortable (sage is too complicated a program to do such delicate things). Scenario 4 does need good lockdown and probably protection against vandalism. However, the prof may not have enough permissions to set up what you described before. In this scenario, the notebook would probably have to listen on an outward port. The only thing that makes it not quite a public notebook is that accounts are not freely given out. Incidentally, if the notebook connects via ssh to the sage sessions, there is no reason for them to live on the same computer either anymore! This opens the road of running a central notebook process, where all the members of the department can connect. From there, the sage processes are run on a collection of machines! This setup only needs that the system can trust that the relevant parts of the filesystem are network shared, or (for the read-only parts) exact copies on all machines involved. These conditions are normally easy to meet on departmental research networks. --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually creating a UNIX user per notebook user? This way we wouldn't have to fiddle with permissions but everything is secured by the trustworthy UNIX user model? +1 --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Actually, I'd be fine with people having to wait after registering until their registration is approved by a person (e.g., me). I mean, giving people 100% shell access for free to a powerful computer running a lot of software is something worth waiting an hour for. The same would likely go for a lot of other sys admins who would eventually run public SAGE notebook servers. I like that idea. I think that maybe all users should be automatically approved to rate, flag, and comment on public worksheets but not create nor edit worksheets. One possibility is that on the secure server, the approved worksheet people could create and edit worksheets and do all the other stuff like rate and comment on published worksheets. The published worksheets would be apart of a wiki. On the unsecure side, all users that do not have worksheet creation and edit permissions can rate, comment, discuss, track their worksheet views and show others what they are viewing like on Youtube, and categorize worksheets. --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Hi, I fixed a number of issues with the notebook (see changelog below) and just made the changed version live. If you're closing following this thread, please let me know if anything seems seriously broken as a result (I'm suffering from the lack of a unit testing framework for the notebook -- help, Yi!). -- William --- changeset: 5127:5c77fa34a543 tag: tip user:William Stein [EMAIL PROTECTED] date:Tue Jun 26 00:20:29 2007 -0700 summary: make changing evaluation system much clearer changeset: 5126:659b25b295df user:William Stein [EMAIL PROTECTED] date:Tue Jun 26 00:06:37 2007 -0700 summary: Unified the save button in text edit mode. changeset: 5125:5138ee7b363b user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 23:54:02 2007 -0700 summary: tiny fixes for some possible security problems changeset: 5124:550f2062e641 user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 23:47:43 2007 -0700 summary: Add download link for published worksheets. changeset: 5123:2b6c13c613e6 user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 23:40:26 2007 -0700 summary: Added 0 as a possible rating and user comments in ratings. changeset: 5122:0cb80f3e387f user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 22:48:49 2007 -0700 summary: fix output bug and error in revisions. changeset: 5121:ed788cc5989d user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 22:46:17 2007 -0700 summary: SAGE Notebook: Fix large output link. changeset: 5120:172b14df6514 user:William Stein [EMAIL PROTECTED] date:Mon Jun 25 22:27:05 2007 -0700 summary: Get rid of insane stupid global username variable in twist.py, which was just there to get the ball rolling. --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Hi,
I am getting some funny errors now on the new notebook. In fact, the
first thing I tried failed, defining the following ring:
R7grev.w,r12,r13,r23,m1,m2,m3 = MPolynomialRing(QQ,7,order =
degrevlex)
gives the errors:
./t: line 2: syntax error near unexpected token `('
./t: line 2: `R7grev.w,r12,r13,r23,m1,m2,m3 =
MPolynomialRing(QQ,7,order = degrevlex)'
I get similar errors on simpler definitions too.
Cheers,
Marshall
On Jun 26, 1:35 am, William Stein [EMAIL PROTECTED] wrote:
Hi,
I fixed a number of issues with the notebook (see changelog below) and
just made the changed version live. If you're closing following this thread,
please let me know if anything seems seriously broken as a result (I'm
suffering
from the lack of a unit testing framework for the notebook -- help, Yi!).
-- William
---
changeset: 5127:5c77fa34a543
tag: tip
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:20:29 2007 -0700
summary: make changing evaluation system much clearer
changeset: 5126:659b25b295df
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:06:37 2007 -0700
summary: Unified the save button in text edit mode.
changeset: 5125:5138ee7b363b
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:54:02 2007 -0700
summary: tiny fixes for some possible security problems
changeset: 5124:550f2062e641
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:47:43 2007 -0700
summary: Add download link for published worksheets.
changeset: 5123:2b6c13c613e6
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:40:26 2007 -0700
summary: Added 0 as a possible rating and user comments in ratings.
changeset: 5122:0cb80f3e387f
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:48:49 2007 -0700
summary: fix output bug and error in revisions.
changeset: 5121:ed788cc5989d
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:46:17 2007 -0700
summary: SAGE Notebook: Fix large output link.
changeset: 5120:172b14df6514
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:27:05 2007 -0700
summary: Get rid of insane stupid global username variable in
twist.py, which was just there
to get the ball rolling.
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
An example of XSS in the notebook is that someone could make an
account name that has html and javascript (I know this works with my
copy of the notebook) and then just publish worksheets. For example on
a local notebook I made an account called h1mark/h1 and then
forced a failed login page for invalid username and I saw mark in
big letters. There is a lot of crap I could do right now on the
published page this way. I made the username: div
style=position:fixed; top:0; right:0; bottom:0; left:0;
background:#FFF;HI/div and I get a keyerror in the log when I
tried logging as that, but the invalid username failed login page is
white with the word Hi. When I renamed one of my worksheets as that
I get a blank page with the word Hi. When I publish that page it
just messes up the title listing for it but doesn't make the page
blank. I've played a little with that and haven't been able to blank
the published page.
On 6/26/07, Hamptonio [EMAIL PROTECTED] wrote:
Hi,
I am getting some funny errors now on the new notebook. In fact, the
first thing I tried failed, defining the following ring:
R7grev.w,r12,r13,r23,m1,m2,m3 = MPolynomialRing(QQ,7,order =
degrevlex)
gives the errors:
./t: line 2: syntax error near unexpected token `('
./t: line 2: `R7grev.w,r12,r13,r23,m1,m2,m3 =
MPolynomialRing(QQ,7,order = degrevlex)'
I get similar errors on simpler definitions too.
Cheers,
Marshall
On Jun 26, 1:35 am, William Stein [EMAIL PROTECTED] wrote:
Hi,
I fixed a number of issues with the notebook (see changelog below) and
just made the changed version live. If you're closing following this
thread,
please let me know if anything seems seriously broken as a result (I'm
suffering
from the lack of a unit testing framework for the notebook -- help, Yi!).
-- William
---
changeset: 5127:5c77fa34a543
tag: tip
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:20:29 2007 -0700
summary: make changing evaluation system much clearer
changeset: 5126:659b25b295df
user:William Stein [EMAIL PROTECTED]
date:Tue Jun 26 00:06:37 2007 -0700
summary: Unified the save button in text edit mode.
changeset: 5125:5138ee7b363b
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:54:02 2007 -0700
summary: tiny fixes for some possible security problems
changeset: 5124:550f2062e641
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:47:43 2007 -0700
summary: Add download link for published worksheets.
changeset: 5123:2b6c13c613e6
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 23:40:26 2007 -0700
summary: Added 0 as a possible rating and user comments in ratings.
changeset: 5122:0cb80f3e387f
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:48:49 2007 -0700
summary: fix output bug and error in revisions.
changeset: 5121:ed788cc5989d
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:46:17 2007 -0700
summary: SAGE Notebook: Fix large output link.
changeset: 5120:172b14df6514
user:William Stein [EMAIL PROTECTED]
date:Mon Jun 25 22:27:05 2007 -0700
summary: Get rid of insane stupid global username variable in
twist.py, which was just there
to get the ball rolling.
--~--~-~--~~~---~--~~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Hamptonio [EMAIL PROTECTED] writes: Nils Bruin has addressed most of the points I was going to make, but I did notice one minor thing in testing the new notebook - it actually effects the old one too: If you have a comment with a question mark, the question mark gets parsed by the help system. I consider this undesirable behavior. For example, the line # Is this a bug? has output: No object 'sh.bug' currently defined. ...which certainly isn't what I would expect. I volunteer to address this -- it is notebook specific, I think. IPython does this via preprocessing; i.e, x? ; y? does not work as you would expect -- it tries to do the equivalent of (x? ; y)? I just posted about marked up output types, which could help with this. Nick --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
- Can the output of search_doc be prettified? title of page/section rather than the filename, perhaps? You may need some logic/conventions to find a sensible title for every page. Maybe. Alex Clemesha wrote a serious doc search thing that he showed me once, but he hasn't integrated it into SAGE yet. I was getting impatient so I spent exactly one hour to write the current search_doc function, since it's vastly more useful than absolutely nothing (which is all we had before). But prettifying, adding context, etc., all takes a lot more than one hour to implement, and probably Alex has already done it, to some extent. Could I see Alex Clemesha's patch for searching docs? I would be a good referee, in any case. In this vein, I have a soon-to-be-submitted patch that gives SAGE an apropos command. If you type `conductor**?', SAGE will list all (callable) objects with conductor in the last dotted name segment along with short docstrings: sage: conductor**? sage.all.mwrank_EllipticCurve.conductor Command: Return the conductor of this curve, computed using Cremona's implementation of Tate's algorithm. sage.databases.cremona.LargeCremonaDatabase.conductor_range Command: Return the range of conductors that are covered by the database. sage.databases.cremona.LargeCremonaDatabase.largest_conductor Command: The largest conductor for which the database is complete. OUTPUT: int -- largest conductor sage.databases.cremona.LargeCremonaDatabase.smallest_conductor Command: The smallest conductor for which the database is complete. (Always 1.) sage.databases.cremona.MiniCremonaDatabase.conductor_range Command: Return the range of conductors that are covered by the database. sage.databases.cremona.MiniCremonaDatabase.largest_conductor Command: The largest conductor for which the database is complete. OUTPUT: int -- largest conductor sage.databases.cremona.MiniCremonaDatabase.smallest_conductor Command: The smallest conductor for which the database is complete. (Always 1.) sage.modular.dirichlet.DirichletCharacter.conductor Command: Computes and returns the conductor of this character. sage.schemes.elliptic_curves.ell_rational_field.EllipticCurve_rational_field.conductor Command: Returns the conductor of the elliptic curve. (Note: many docstrings do not follow conventions!) The formatting sucks because my SAGE emacs code cleans it up and makes it pretty. In the notebook, other code should do the prettifying. It would be nice to uniformize the web based notebook interface, some of the Emacs mode I am writing, and the IPython command line. I have some ideas about how to do this. IPython maintains a history of outputted objects; it is a hash-like object called Out. I think that each interface should check Out for objects that could be displayed in different ways. For example, that apropos command would return an AproposOutput object, that would have a family of repr-like commands: repr itself for IPython, repr_html or repr_notebook for the notebook's fancy html output, and maybe repr_emacs if it should do something special. If there was no special handling, the repr is shown. That seems to generalize the graphics objects already present in SAGE. What do people think? Nick --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Hi there, first of all: The new notebook is just amazing, congratulations to everybody involved, it rocks. Some very minor issues, IMHO: * I assume 4.0 is the highest rating? As I start counting at zero I would like to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is something, 0.0 is crap. * as far as I can tell, there is no prevention of cross-side-scripting attacks implemented yet. Is this a planed feature? * Most websites which allow users to publish their stuff have a report this as spam/offensive button, this could be useful. * How come that 'was' edited my published notebook last according to https://sage.math.washington.edu:8102/home/pub/14/ . Is this was' admin status, a bug, a feature? But again, overall it is just amazingly cool, Martin -- name: Martin Albrecht _pgp: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8EF0DC99 _www: http://www.informatik.uni-bremen.de/~malb _jab: [EMAIL PROTECTED] --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/25/07, Martin Albrecht [EMAIL PROTECTED] wrote: first of all: The new notebook is just amazing, congratulations to everybody involved, it rocks. Some very minor issues, IMHO: * I assume 4.0 is the highest rating? As I start counting at zero I would like to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is something, 0.0 is crap. I can add that. I was thinking of also adding a comment field, so you can explain why said worksheet is crap. * as far as I can tell, there is no prevention of cross-side-scripting attacks implemented yet. Is this a planed feature? No plans. Could you make some plans? This is only an issue when the notebook users are completely random and open. I believe that in the long run most notebook usage will be by users who are trusted and have specifically been given accounts (e.g., students at a specific university in a course), which is why getting SSL authentication and encryption up and running by default was so important. Anonymous free open notebooks will probably only be run by some crazy folks (such as me!!) until they get in trouble with their universities... It's just completely giving away nontrivial computing resources. * Most websites which allow users to publish their stuff have a report this as spam/offensive button, this could be useful. That's a good idea. * How come that 'was' edited my published notebook last according to https://sage.math.washington.edu:8102/home/pub/14/ . Is this was' admin status, a bug, a feature? Bug. It looks right here: https://sage.math.washington.edu:8102/home/pub/ I just need to make sure the edited by line is taken from the same place (same function call) in both cases. But again, overall it is just amazingly cool, Cool, I'm glad you appreciate it. It was very very hard work to write last week. I will be working a lot on polishing and improving it in little ways this week. One big problem is that the username is being set by the server as a global variable (in a file twist.py) -- this was a hack to get things going, and of course is fine when testing as a single user. But this morning there were about THIRTY high school students in my workshop pounding the server at once, and this silly hack certainly didn't hold up under multiple concurrent requests (!). Fixing that is first on my list. Thanks for all your feedback. By the way, as always, everything anyone should need to switch to the old notebook is in http://sage.math.washington.edu/home/was/twisted/ Automigration of old worksheets is implemented, and might even work. Right after migrating, you should delete the sage_notebook/worksheets directory manually. You do migration just by running the new notebook; it detects that the notebook is in the old format and updates everything. The screen goes blank for a few seconds, but don't panic. \ I've set the server up so that even locally if you type notebook() to run the notebook on localhost, then it uses SSL and you have to type a password. I did this, since my assumption is that if I don't do this, then anybody else who logs into your computer could hose your account. Is this correct? William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Some very minor issues, IMHO: * I assume 4.0 is the highest rating? As I start counting at zero I would like to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is something, 0.0 is crap. I can add that. I was thinking of also adding a comment field, so you can explain why said worksheet is crap. Sounds good. * as far as I can tell, there is no prevention of cross-side-scripting attacks implemented yet. Is this a planed feature? No plans. Could you make some plans? This is only an issue when the notebook users are completely random and open. I believe that in the long run most notebook usage will be by users who are trusted and have specifically been given accounts (e.g., students at a specific university in a course), which is why getting SSL authentication and encryption up and running by default was so important. If I could run arbitrary javascript on my teacher's computer that would still be a security breach, so even though the authentication/encryption helps a lot, it doesn't prevent this from happening/being a threat. Anonymous free open notebooks will probably only be run by some crazy folks (such as me!!) until they get in trouble with their universities... It's just completely giving away nontrivial computing resources. XSS attacks ( http://en.wikipedia.org/wiki/XSS ) are not about the server: The attack is to inject javascript code into a notebook cell and thus have another user's browser perform evil things like sending a cookie around/browsing some evil website etc.. So it doesn't really matter who runs the website as long as people trust the website to visit it. The only solution is to prevent HTML output under direct user control. This is one reason why Wikis come with their own markup languages. So for example all output gets filtered through a module which translates MoinMoin Wiki markup to HTML (like the MoinMoin wiki does) and filters out every other HTML. * Most websites which allow users to publish their stuff have a report this as spam/offensive button, this could be useful. That's a good idea. * How come that 'was' edited my published notebook last according to https://sage.math.washington.edu:8102/home/pub/14/ . Is this was' admin status, a bug, a feature? Bug. It looks right here: https://sage.math.washington.edu:8102/home/pub/ I just need to make sure the edited by line is taken from the same place (same function call) in both cases. But again, overall it is just amazingly cool, Cool, I'm glad you appreciate it. It was very very hard work to write last week. I will be working a lot on polishing and improving it in little ways this week. One big problem is that the username is being set by the server as a global variable (in a file twist.py) -- this was a hack to get things going, and of course is fine when testing as a single user. But this morning there were about THIRTY high school students in my workshop pounding the server at once, and this silly hack certainly didn't hold up under multiple concurrent requests (!). Fixing that is first on my list. Thanks for all your feedback. By the way, as always, everything anyone should need to switch to the old notebook is in http://sage.math.washington.edu/home/was/twisted/ Automigration of old worksheets is implemented, and might even work. Right after migrating, you should delete the sage_notebook/worksheets directory manually. You do migration just by running the new notebook; it detects that the notebook is in the old format and updates everything. The screen goes blank for a few seconds, but don't panic. \ I've set the server up so that even locally if you type notebook() to run the notebook on localhost, then it uses SSL and you have to type a password. I did this, since my assumption is that if I don't do this, then anybody else who logs into your computer could hose your account. Is this correct? Yes. As the local notebook listens on 127.0.0.1 it accepts connections from everyone able to connect to 127.0.0.1. Martin -- name: Martin Albrecht _pgp: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8EF0DC99 _www: http://www.informatik.uni-bremen.de/~malb _jab: [EMAIL PROTECTED] --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/25/07, Martin Albrecht [EMAIL PROTECTED] wrote: No plans. Could you make some plans? This is only an issue when the notebook users are completely random and open. I believe that in the long run most notebook usage will be by users who are trusted and have specifically been given accounts (e.g., students at a specific university in a course), which is why getting SSL authentication and encryption up and running by default was so important. If I could run arbitrary javascript on my teacher's computer that would still be a security breach, so even though the authentication/encryption helps a lot, it doesn't prevent this from happening/being a threat. For the professor example, the authentication does make a difference, in that what you're running is logged, and it's pretty clear *you* are running the relevant code since you had to log in, i.e., there is accountability. It's no different than your professor giving you an account on a computer with a web page -- if evil code shows up, you're going to be under scrutiny. With the old open non-authenticated notebook it was quite easy for anybody to do things anonymously. Anonymous free open notebooks will probably only be run by some crazy folks (such as me!!) until they get in trouble with their universities... It's just completely giving away nontrivial computing resources. XSS attacks ( http://en.wikipedia.org/wiki/XSS ) are not about the server: The attack is to inject javascript code into a notebook cell and thus have another user's browser perform evil things like sending a cookie around/browsing some evil website etc.. So it doesn't really matter who runs the website as long as people trust the website to visit it. You misunderstand my comment. Let me try again. With the new SAGE notebook, by default visitors to the site will not be able to create new accounts -- and in fact, in most cases, I think SAGE notebook accounts will only be used by people specifically given them (i.e., they have a reason to have access to the given computing resources). A public visitor to the site is not allowed to leave their own notebook cells or create an account. Note -- I -- one of the aforementioned crazy people -- do have a public chroot'd notebook server. These are likely going to be rare. For these, it would be very desirable to have something to prevent the XSS problem. The only solution is to prevent HTML output under direct user control. This is one reason why Wikis come with their own markup languages. So for example all output gets filtered through a module which translates MoinMoin Wiki markup to HTML (like the MoinMoin wiki does) and filters out every other HTML. Note that the only SAGE worksheets anybody besides the user will ever see now are the ones that have been publicly published. Could we do something at the moment of publication to scrape and make safer these worksheets? Is there some sort of html -- safe html converter? I've set the server up so that even locally if you type notebook() to run the notebook on localhost, then it uses SSL and you have to type a password. I did this, since my assumption is that if I don't do this, then anybody else who logs into your computer could hose your account. Is this correct? Yes. As the local notebook listens on 127.0.0.1 it accepts connections from everyone able to connect to 127.0.0.1. Yep, so that's been a gaping whole in the whole notebook idea for a long time, which is now nicely closed. Now if a random user types sage: notebook() they set a password the first time, then login via ssl to https://localhost. Much better. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
In fact, I would much prefer choosing a 3rd party project for indexing html docs and including it in SAGE to writing our own, since maintenance will be easier, and the quality will steadily improve with no work on our part. Any ideas or suggestions?? I agree. I won't volunteer for this task. In this vein, I have a soon-to-be-submitted patch that gives SAGE an apropos command. If you type `conductor**?', SAGE will list all (callable) objects with conductor in the last dotted name segment along with short docstrings: Nice! I am cleaning the code for submission, it should be along shortly. I'm a little unclear on what you're proposing exactly. I'll have to think about it. I just used the new notebook -- it totally roxors -- and I will try to find a few examples of what I think should happen and elaborate. Let's not think about this right now. Nick --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On Jun 21, 2007, at 10:52 , William Stein wrote: I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. This looks really nice! I haven't spent a lot of time with it, but after a short time with it, I like it a lot. A suggestion for the help function: have the help text displayed in a separate window. That way, you don't have to go back and forth between the help screen and your worksheet to check out what you learn in there. Also (much less important), maybe have the help window be sized differently (e.g., square). I've seen this in a number of forms- based pages from sites such as banks, where field entries are explained in separate help windows. Justin -- Justin C. Walker, Curmudgeon-At-Large Institute for the Absorption of Federal Funds Men are from Earth. Women are from Earth. Deal with it. --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Nils Bruin has addressed most of the points I was going to make, but I did notice one minor thing in testing the new notebook - it actually effects the old one too: If you have a comment with a question mark, the question mark gets parsed by the help system. I consider this undesirable behavior. For example, the line # Is this a bug? has output: No object 'sh.bug' currently defined. ...which certainly isn't what I would expect. Cheers, Marshall Hampton On Jun 21, 12:52 pm, William Stein [EMAIL PROTECTED] wrote: Hi, I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I'm sure there are *lots* of bugs in the notebook. I don't know of any in particular, but I wrote a lot of new code, so there are bound to be numerous issues. I want to use this new notebook server in a class for high school students that I'm teaching next week, so I would be very grateful if people could try it out and report bugs or points about the design that they find very confusing. You can also report features you wish were there, but I'm not going to implement anything new on the notebook myself for a while. By the way, the general document model greatly resembles Google Documents, as I'm sure will be clear once you try the notebook out. -- William Important note -- I implemented a secure separate process model for the notebook. Unfortunately, ssh doesn't work at all in the chroot jail that the server runs in (Bobby -- why!? -- just create two new accounts with dumb passwords -- it isn't possible to ssh from one to the other), so I can't use it in the chroot jail yet. So it is trivial to vandalize the server... -- William Stein Associate Professor of Mathematics University of Washingtonhttp://www.williamstein.org --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
The new notebook looks very good. Here is another quirk. I pressed help in a worksheet and as expected got to the help page. However my name was given as Timoty Clemans! More importantly it is quite unclear to me how to go back from the help page to the worksheet! Michel On Jun 22, 7:51 am, Michel [EMAIL PROTECTED] wrote: I often select the content of a cell and press backspace to delete it. In the new notebook it seem to throw me out of the notebook (it sometimes works though). Quite bizarre. This is firefox 1.0.4 on FC4. Michel On Jun 22, 5:36 am, William Stein [EMAIL PROTECTED] wrote: On 6/21/07, Craig Citro [EMAIL PROTECTED] wrote: I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I just tried it in Firefox 2.0.0.4 on my G4 Powerbook, and I can't create a new worksheet. Every time I hit the button to create a new worksheet, I get brought right back to the login page. In fact, it seems to do exactly that for every button I hit. I do like the design of the pages I've seen, though. :) This means that cookies are not being correctly set by the notebook in your browser. Trying clearing your cookie cache and restarting the notebook, or using safari (which mostly works). William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/22/07, Timothy Clemans [EMAIL PROTECTED] wrote: Actually, I was exactly copying what is in Google Documents right now -- if you view a document -- I even use the same font and color. My suggestion would make the two look even similar. Simply take the SAGE logo and add the word Notebook to it. Send me a png and I'll see how it looks. * Marketing on the homepage should be for the SAGE Notebook and not SAGE I disagree. A random person on the net is not going to learn about the SAGE Notebook from the current marketing information on the SAGE Notebook anonymous user home page but about SAGE. When people go to sagenb.com they are not using SAGE but the SAGE Notebook. The current marketing information does not tell anyone how SAGE Notebook might be useful and what its features are. OK, I agree that there should be some information there about the Notebook aspect of it. Any suggestions for a sentence or two, and what to replace? * The Published link should be in the top-right nav box with Home Log Help Sign out Why? Again, I'm just copying exactly what Google Documents already does with the location of Publish.People will be/get familiar with Google Documents, and when they use SAGE it will feel familiar, if I don't position things differently for no good reason. It would certainly save me time if I didn't have to hunt around for the link to the published worksheets. I misunderstood your comment because I was in a hurry. You're right -- there is no Published link in Google Documents -- since they have no analogue of viewing all user-published documents -- they aren't like a wiki. So I haven't figured out at all where would be best to put the Published link or even what is the best name for it. Your suggestion to put it in the very upper right spot is definitely better than what is currently done. Does anybody have any better ideas yet? William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Looks great! I assume that the login and account stuff will all be configurable in the end. Can that be linked into unix authentication and kerberos tickets? I guess not . The browser probably doesn't have access to these things. It would be nice if I don't have to log in to sage to use it on my own machine, though, and still have some protection if it is a multi-user machine. (even on my desktop, other people in the network can log in in principle) I did find a few things when I gave it a whirl. Use them to your liking. It's really impressive that you got something this functional in only a couple of days! - Initially I found it hard to rename a worksheet. It's actually dead easy: click on the name. This was just not obvious to me from the start. - Currently the Edit button does nothing and the Text button gives the edit environment. However, I have been unable to save my changes from edit mode. Should that be the save button? - How and from where do I save and load objects? - How and from where do I attach files? - On the home page, I am called Me, but in the revisions page I am called by my login - What is archive vs. active? - Can I empty the trash? - I was unable to import a saved worksheet from the old notebook - I do not like the 2 pull-down menus on the left - The third one (system) is great. I am afraid that currently it's a bit too minimalist, though. I think it needs to say system: [sage| magma|...] - The new option there is particularly confusing. The entries in that menu all pertain to the current sheet, except this one. What's worse, it's the default one, so it is always showing! - One/Multi Cell mode is a different thing from Interrupt/Evaluate all/Restart etc. You can't put those in the same menu. - tab completion in systems other than sage is still largely broken (prefixes) - search_doc is currently broken - Can the output of search_doc be prettified? title of page/section rather than the filename, perhaps? You may need some logic/conventions to find a sensible title for every page. - Help browser in the notebook needs a search box that interfaces to search_doc. (tree view on the side too?) - You can actually copy help pages from the notebook and make them worksheets for yourself! That's really good! It breaks the links, though :-) --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
machine. (even on my desktop, other people in the network can log in in principle) You're right -- anybody could access the notebook even locally. That is already a serious security issue. Probably the best thing to do is make it so you have to login, but make it very easy to have the browser automatically remember your password, so you only log in once. How do I find out what a user's ip address is? Many if localhost identifies itself as 127.0.0.1 when contacting the notebook then maybe we could just solve this problem by restricting to that. It appears that when I go to https://localhost:8001 and make a worksheet I see the ip address 127.0.0.1in the log, so I think we may be able to restrict access to localhost. --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/22/07, Nils Bruin [EMAIL PROTECTED] wrote: Looks great! I assume that the login and account stuff will all be configurable in the end. Can that be linked into unix authentication and kerberos tickets? I guess not. Yes, in theory, but it's probably not a good idea in practice, at least not until the whole thing is much more mature. The browser probably doesn't have access to these things. It would be nice if I don't have to log in to sage to use it on my own machine, though, and still have some protection if it is a multi-user There is a mode (secure=False) that does just that - machine. (even on my desktop, other people in the network can log in in principle) You're right -- anybody could access the notebook even locally. That is already a serious security issue. Probably the best thing to do is make it so you have to login, but make it very easy to have the browser automatically remember your password, so you only log in once. - Initially I found it hard to rename a worksheet. It's actually dead easy: click on the name. This was just not obvious to me from the start. Agreed. I copied this exactly from Google Documents. There is also a rename option in the menu on the left. - Currently the Edit button does nothing and the Text button gives the edit environment. However, I have been unable to save my changes from edit mode. Should that be the save button? You're confused about what edit and text do, because of prior experience with the previous SAGE Notebook. Edit switches to the mode where you interact with and edit the worksheet. Text switches to the mode where you edit the underlying plain text representation of a worksheet. This is again just copying basically what google docs does, except that they have Edit and HTML. - How and from where do I save and load objects? That's not implemented yet. - How and from where do I attach files? That's not implemented -- actually it's identical to before -- you just type attach filename. However, I want to add functionality for uploading files/objects/images, etc., to a data directory; then you can use all those things in any worksheet, and -- for files (e.g., .sage, .py, .spyx, etc.) you will be able to edit them with a nice javascript code editor. I think that's a better model than what was there before. - On the home page, I am called Me, but in the revisions page I am called by my login I was copying Google documents. They often abbreviate the username to Me in lists for brevity. For them, user names are email addresses, so often they are long. - What is archive vs. active? Exactly the same as in google documents. It's an excellent way to organize a collection of documents. Try google documents for more details, or just try it out. - Can I empty the trash? No, that's not implemented. - I was unable to import a saved worksheet from the old notebook I've implemented absolutely no backwards compatibility with the old notebook yet. - I do not like the 2 pull-down menus on the left What don't you like about them? - The third one (system) is great. I am afraid that currently it's a bit too minimalist, though. I think it needs to say system: [sage| magma|...] - The new option there is particularly confusing. The entries in that menu all pertain to the current sheet, except this one. What's worse, it's the default one, so it is always showing! Again, I just copied this from Google docs, except there they label that menu File. I will label those menus, File, Control, System In fact, those menus should all be done with javascript -- using a drop down was a quick hack to get it done -- I guess I've been much more concerned with the behind the scenes stuff than the fine styling. - One/Multi Cell mode is a different thing from Interrupt/Evaluate all/Restart etc. You can't put those in the same menu. I can if it's a different section of the menu separated by a horizontal line. Or I can just go back to a big single row of links across the top like before (which I rather liked). Any comments from people out there!? - tab completion in systems other than sage is still largely broken (prefixes) I know; I didn't do anything related to that sort of back end stuff. I still hope to do it though, but certainly not for the next release. - search_doc is currently broken Thanks -- I didn't know that. It's probably just that it formats the urls for the old format instead of the new one. This will be trivial to fix. I should, of course, make it a separate screen that just uses the gui. - Can the output of search_doc be prettified? title of page/section rather than the filename, perhaps? You may need some logic/conventions to find a sensible title for every page. Maybe. Alex Clemesha wrote a serious doc search thing that he showed me once, but he hasn't integrated it into SAGE yet. I was getting impatient so I spent exactly one hour to write the current search_doc
[sage-devel] Re: SAGE notebook 2
William wrote: I want to use this new notebook server in a class for high school students that I'm teaching next week, so I would be very grateful if people could try it out and report bugs or points about the design that they find very confusing. You can also report features you wish were there, but I'm not going I really like the design of the new notebook. I think that having it model the google documents interface was an excellent idea. I played with the new notebook for a while and here are the issues I have noticed so far: 1) The buttons on the help page ( Tutoral, Reference Manual, etc. ) do not show roll-over help messages like the buttons in a worksheet do ( like Edit, Text, Revisions, etc. ). 2) When I am in a worksheet, my username ( tkosan ) is shown near the upper right corner of the screen, but when I select the Help link that is near my username, a help page is shown that has Timothy Clemans as the username. 3) In the Share page, if the Invite Collaborators button is selected, and no collaborators are listed in the collaborators text area, an internal server error message is returned. Perhaps a message which informas the user that at least one collaborator needs to be entered in the text area would be helpful. Ted --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
How does one register to use it? Or does our sage.math login and password work? On 6/21/07, William Stein [EMAIL PROTECTED] wrote: Hi, I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I'm sure there are *lots* of bugs in the notebook. I don't know of any in particular, but I wrote a lot of new code, so there are bound to be numerous issues. I want to use this new notebook server in a class for high school students that I'm teaching next week, so I would be very grateful if people could try it out and report bugs or points about the design that they find very confusing. You can also report features you wish were there, but I'm not going to implement anything new on the notebook myself for a while. By the way, the general document model greatly resembles Google Documents, as I'm sure will be clear once you try the notebook out. -- William Important note -- I implemented a secure separate process model for the notebook. Unfortunately, ssh doesn't work at all in the chroot jail that the server runs in (Bobby -- why!? -- just create two new accounts with dumb passwords -- it isn't possible to ssh from one to the other), so I can't use it in the chroot jail yet. So it is trivial to vandalize the server... -- William Stein Associate Professor of Mathematics University of Washington http://www.williamstein.org --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
I was stupidly trying to use the login page to register. Do you think it is worth adding the words register, as in New users: Click here to register for the SAGE Notebook (instead of Sign up for the SAGE Notebook)? + On 6/21/07, William Stein [EMAIL PROTECTED] wrote: On 6/21/07, David Joyner [EMAIL PROTECTED] wrote: How does one register to use it? Or does our sage.math login and password work? It's simple -- like most online sites. Just click on the big link that says Sign up for the SAGE Notebook on the right hand side of the login screen. Then type in any login/password you want, and you'll immediately get an account. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
The following command seemed to kill the notebook process. os.system(kill -9 `ps -u server4 -o pid=`) I was unable to log in afterwards. Shouldn't the notebook process be restarted automatically? Regards, Michel --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
What the hell! Important note -- I implemented a secure separate process model for the notebook. Unfortunately, ssh doesn't work at all in the chroot jail that the server runs in (Bobby -- why!? -- just create two new accounts with dumb passwords -- it isn't possible to ssh from one to the other), so I can't use it in the chroot jail yet. So it is trivial to vandalize the server... Don't you understand that people such as me are trying to introduce themselves to the new notebook? On 6/21/07, Michel [EMAIL PROTECTED] wrote: The following command seemed to kill the notebook process. os.system(kill -9 `ps -u server4 -o pid=`) I was unable to log in afterwards. Shouldn't the notebook process be restarted automatically? Regards, Michel --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
This is very nice William. There seems to be a lot of functionality already. Does collaboration work already? I'm very impressed that email verification works. It would be nice if the jsMath font warning were less disturbing (see http://www.math.union.edu/~dpvc/jsMath/authors/warnings.html). Do you know if this server will slow down like the last new one you put up? Apparently [EMAIL PROTECTED] killed the process so when it comes back up I will make some worksheets and publish them. Great job William! On 6/21/07, William Stein [EMAIL PROTECTED] wrote: On 6/21/07, David Joyner [EMAIL PROTECTED] wrote: How does one register to use it? Or does our sage.math login and password work? It's simple -- like most online sites. Just click on the big link that says Sign up for the SAGE Notebook on the right hand side of the login screen. Then type in any login/password you want, and you'll immediately get an account. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
Sorry, Didn't read the note. I guess I hadn't understood that notebook processes running under a different user and ssh had anything to do with each other. I hope the new security model gets turned on soon! Michel On Jun 21, 10:56 pm, Timothy Clemans [EMAIL PROTECTED] wrote: This is very nice William. There seems to be a lot of functionality already. Does collaboration work already? I'm very impressed that email verification works. It would be nice if the jsMath font warning were less disturbing (seehttp://www.math.union.edu/~dpvc/jsMath/authors/warnings.html). Do you know if this server will slow down like the last new one you put up? Apparently [EMAIL PROTECTED] killed the process so when it comes back up I will make some worksheets and publish them. Great job William! On 6/21/07, William Stein [EMAIL PROTECTED] wrote: On 6/21/07, David Joyner [EMAIL PROTECTED] wrote: How does one register to use it? Or does our sage.math login and password work? It's simple -- like most online sites. Just click on the big link that says Sign up for the SAGE Notebook on the right hand side of the login screen. Then type in any login/password you want, and you'll immediately get an account. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/21/07, Michel [EMAIL PROTECTED] wrote: The following command seemed to kill the notebook process. os.system(kill -9 `ps -u server4 -o pid=`) I was unable to log in afterwards. Shouldn't the notebook process be restarted automatically? To reiterate: I implemented a multi-user model, but I can not turn it on yet because ssh is not correctly configured in the chroot jail. So, as I said before, it is trivial to vandalize the server as you just demonstrated. And no -- it shouldn't restart automatically; what should happen is that any code you run is run as an entirely different user from the notebook user. Again, In the new model, which I implemented, the above command would have no effect. But for some reason ssh is misconfigured in the chroot jail so I can't turn on the run worksheet as a different user functionality yet. I didn't create the chroot jail in the first place, so I don't yet know why ssh is broken in it. T Clemans wrote: There seems to be a lot of functionality already. Does collaboration work already? Everything advertised in the interface is implemented. Again, I just wrote must of it in a massive coding binge during the last two days, so there are undoubtedly lots of bugs -- I would greatly appreciate lists of actual bugs or very confusing aspects to the interface. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
William Stein wrote: Hi, I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I'm sure there are *lots* of bugs in the notebook. I don't know of any in particular, but I wrote a lot of new code, so there are bound to be numerous issues. I logged in, created a few things in a worksheet, and hit the Revisions button. It showed Revision 0 (Last Edited 2 minutes ago). I clicked on the Revision 0 link and got an error page with the address: https://sage.math.washington.edu:8102/home/jason/0/revisions?rev=1182466757.txt The text was: Internal Server Error An error occurred rendering the requested page. More information is available in the server log. This just happened a few seconds ago (so around 5:05PM MDT). Jason --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
William Stein wrote: Hi, I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I'm sure there are *lots* of bugs in the notebook. I don't know of any in particular, but I wrote a lot of new code, so there are bound to be numerous issues. I want to use this new notebook server in a class for high school students that I'm teaching next week, so I would be very grateful if people could try it out and report bugs or points about the design that they find very confusing. You can also report features you wish were there, but I'm not going to implement anything new on the notebook myself for a while. Here's something that I found confusing. It seems that in most of the interface, there are three dropdowns in the upper left corner. The first seems to be actions about the worksheet, the second for commands to sage, and the third specifying a program to be sending your stuff to (did I get that right?). However, I can't figure out how to get these selections to _do_ anything. I can select New, but there's no button to click and nothing happens. How do I do any of these actions? (like download, interrupt sage, etc.) The design looks fantastic. I think this may find a use in some of the classes I teach. I love the idea of collaboration and publishing that's implemented. Thanks, Jason --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
In Firefox in Windows I keep getting signed out and can't do much. This is not a problem for me with other web sites such as Gmail. On 6/21/07, Jason Grout [EMAIL PROTECTED] wrote: William Stein wrote: Hi, I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I'm sure there are *lots* of bugs in the notebook. I don't know of any in particular, but I wrote a lot of new code, so there are bound to be numerous issues. I want to use this new notebook server in a class for high school students that I'm teaching next week, so I would be very grateful if people could try it out and report bugs or points about the design that they find very confusing. You can also report features you wish were there, but I'm not going to implement anything new on the notebook myself for a while. Here's something that I found confusing. It seems that in most of the interface, there are three dropdowns in the upper left corner. The first seems to be actions about the worksheet, the second for commands to sage, and the third specifying a program to be sending your stuff to (did I get that right?). However, I can't figure out how to get these selections to _do_ anything. I can select New, but there's no button to click and nothing happens. How do I do any of these actions? (like download, interrupt sage, etc.) The design looks fantastic. I think this may find a use in some of the classes I teach. I love the idea of collaboration and publishing that's implemented. Thanks, Jason --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On Jun 21, 2007, at 7:42 PM, Craig Citro wrote: I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I just tried it in Firefox 2.0.0.4 on my G4 Powerbook, and I can't create a new worksheet. Every time I hit the button to create a new worksheet, I get brought right back to the login page. In fact, it seems to do exactly that for every button I hit. That happened to me the first time I hit new worksheet (on safari), and I was going to report it, but I haven't been able to replicate it since. david --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/21/07, Timothy Clemans [EMAIL PROTECTED] wrote: Overall Notebook 2 is very nice. Sorry about the collaboration thing; Michel killed the process before I could find out how to use it. Some thoughts * SAGE logo and text Mathematics Software should be replaced with one image that says SAGE Notebook such like Google Notebook doesn't have the Google logo but the Google Notebook logo Actually, I was exactly copying what is in Google Documents right now -- if you view a document -- I even use the same font and color. * Marketing on the homepage should be for the SAGE Notebook and not SAGE I disagree. * Should be a Remember option in the signin box I wonder -- How does one implement remember? Is it an option to how cookies are set. Tom? * The Published link should be in the top-right nav box with Home Log Help Sign out Why? Again, I'm just copying exactly what Google Documents already does with the location of Publish.People will be/get familiar with Google Documents, and when they use SAGE it will feel familiar, if I don't position things differently for no good reason. I'll start working on implementing the HTML templating that I discussed at days4 after I get used to the notebook. Bobby Moretti did some work on this using the same package already. Apply all the patches and look, e.g,. at SAGE_ROOT/data/extcode/notebook/templates Thanks for your feedback! Generally speaking, I hope people will enumerate bugs and seriously confusion with the interface. -- william --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/21/07, Jason Grout [EMAIL PROTECTED] wrote: I logged in, created a few things in a worksheet, and hit the Revisions button. It showed Revision 0 (Last Edited 2 minutes ago). I clicked on the Revision 0 link and got an error page with the address: https://sage.math.washington.edu:8102/home/jason/0/revisions?rev=1182466757.txt The text was: Internal Server Error An error occurred rendering the requested page. More information is available in the server log. I had forgot to create the notebook account that is used for rendering the revisions. I just did that, restarted the server, and now revisions should work for you. Nice worksheets, by the way. William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
[sage-devel] Re: SAGE notebook 2
On 6/21/07, Craig Citro [EMAIL PROTECTED] wrote: I spent the last 3 days synthesizing the ideas from the workshop and writing a lot of code and have put together the first version of the SAGE Notebook 2. I've posted a server running it here: https://sage.math.washington.edu:8102/ Unless anybody *else* wants to put a lot of hard work into this now, it is in feature freeze. I implemented the minimum of what I really wanted. I just tried it in Firefox 2.0.0.4 on my G4 Powerbook, and I can't create a new worksheet. Every time I hit the button to create a new worksheet, I get brought right back to the login page. In fact, it seems to do exactly that for every button I hit. I do like the design of the pages I've seen, though. :) This means that cookies are not being correctly set by the notebook in your browser. Trying clearing your cookie cache and restarting the notebook, or using safari (which mostly works). William --~--~-~--~~~---~--~~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~--~~~~--~~--~--~---
