[sage-support] Re: Secure Sage Server
On Wed, 24 Sep 2008 at 09:24AM -0500, Jason Grout wrote: > In case virtualbox is your preference, I have almost finished a > virtualbox image which tries to mirror the current vmware image too, but > is based on ubuntu jeos and is a little more locked down (e.g., no > default ssh server is running). I just set up a VirtualBox Sage server using JeOS this morning! It was pretty easy and works really well (so far). I did set up an ssh server and some other stuff, though. I'll write up what I did and post it soon. Dan -- --- Dan Drake <[EMAIL PROTECTED]> - KAIST Department of Mathematical Sciences --- http://math.kaist.ac.kr/~drake signature.asc Description: Digital signature
[sage-support] Re: Secure Sage Server
mabshoff wrote: > On Sep 24, 12:22 am, Maike <[EMAIL PROTECTED]> wrote: > > Hi Maike, > >> We'd like to set up a sage server allowing different users to see, >> copy and edit our published worksheets. However, this allows users to >> execute arbitrary system calls, e.g.> os.popen("ps auxw").read() > > Yes, any account on a Notebook server hands the user a shell, so you > either trust them or you secure the server itself. > >> The formatting of the output is not perfect, but still, this is a >> problem! >> >> I'd be grateful for any suggestions on how to set up a SECURE sage >> server. If this has been covered elsewhere, just post the link... > > There are a couple possibilities: > > a) a chroot jail > b) a VMWare image (or some other kind of virtualization) > c) SELinux, potentially in combination with (a) > > None of the above is simple and securing a server so that it runs with > SELinux is difficult. There is no documentation on how to do this yet. > I would favor (b), frequent backups of the Sage notebook data and some > intrusion detection system in the notebook in addition to keeping > kernel and all the other components current to avoid break ins. Since > you are running a VMware image it is easily resettable and the > likelyhood of breaking out of the VMWare image is relatively small. So > should you have somebody break into your box it is much easier to > reset an image than the server. If you come up with something we would > definitely like to hear about it. > In case virtualbox is your preference, I have almost finished a virtualbox image which tries to mirror the current vmware image too, but is based on ubuntu jeos and is a little more locked down (e.g., no default ssh server is running). Thanks, Jason --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: Secure Sage Server
On Sep 24, 12:22 am, Maike <[EMAIL PROTECTED]> wrote: Hi Maike, > We'd like to set up a sage server allowing different users to see, > copy and edit our published worksheets. However, this allows users to > execute arbitrary system calls, e.g.> os.popen("ps auxw").read() Yes, any account on a Notebook server hands the user a shell, so you either trust them or you secure the server itself. > The formatting of the output is not perfect, but still, this is a > problem! > > I'd be grateful for any suggestions on how to set up a SECURE sage > server. If this has been covered elsewhere, just post the link... There are a couple possibilities: a) a chroot jail b) a VMWare image (or some other kind of virtualization) c) SELinux, potentially in combination with (a) None of the above is simple and securing a server so that it runs with SELinux is difficult. There is no documentation on how to do this yet. I would favor (b), frequent backups of the Sage notebook data and some intrusion detection system in the notebook in addition to keeping kernel and all the other components current to avoid break ins. Since you are running a VMware image it is easily resettable and the likelyhood of breaking out of the VMWare image is relatively small. So should you have somebody break into your box it is much easier to reset an image than the server. If you come up with something we would definitely like to hear about it. > Thanks! > > Maike Cheers, Michael --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---