> Actually, I'd be fine with people having to wait after registering until
> their registration is approved by a person (e.g., me). I mean, giving
> people 100% shell access for free to a powerful computer running
> a lot of software is something worth waiting an hour for. The same
> would likel
> Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually
> creating a UNIX user per notebook user? This way we wouldn't have to fiddle
> with permissions but everything is secured by the trustworthy UNIX user
> model?
+1
--~--~-~--~~~---~--~---
On 6/27/07, Nils Bruin <[EMAIL PROTECTED]> wrote:
> > I'm a little worried about creating new accounts for each user, just because
> > that means the Notebook server has to have the ability to create new
> > accounts,
> > which is probably a pretty serious ability to have. But I suppose sudo
>
On Jun 27, 1:57 pm, "William Stein" <[EMAIL PROTECTED]> wrote:
> I'm a little worried about creating new accounts for each user, just because
> that means the Notebook server has to have the ability to create new accounts,
> which is probably a pretty serious ability to have. But I suppose sudo
On 6/27/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> Why is there the limitation of 30 (or 900, 1, or $n$)? How about actually
> creating a UNIX user per notebook user? This way we wouldn't have to fiddle
> with permissions but everything is secured by the trustworthy UNIX user
> model?
>
> No, you're right, sort of. You haven't vandalized it, you've denial of
> serviced it temporarily, in that everybody else's sessions will be
> automatically restarted. I should probably map each user to
> a single one of those 30 login names, so they can at most every
> vandalize 1/30 of the o
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
> wrote:
> > The turning off net access all together for notebook is users is not a
> > good idea, because there is database stuff in SAGE that uses web sites
> > such as Sloane's database.
>
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
>
> After some deliberation I think that the issues I pointed out
> in my last mail have not much
> to do with the notebook but rather with the implementation of
> the chroot jail. The only genuine issue is that the notebook server
> should not create
On 6/27/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> We cannot rely on DoS prevention systems elsewhere if the notebook is used for
> a denial of service attack it is William's responsibility.
>
> Thus, I vote for a heavily firewalled chroot:
> * do all the anti-spoof, packet scrubbing stuff
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
> wrote:
> > The turning off net access all together for notebook is users is not a
> > good idea, because there is database stuff in SAGE that uses web sites
> > such as Sloane's database.
>
On Jun 27, 11:24 am, "Timothy Clemans" <[EMAIL PROTECTED]>
wrote:
> The turning off net access all together for notebook is users is not a
> good idea, because there is database stuff in SAGE that uses web sites
> such as Sloane's database.
Good point! But the firewall could be configured to al
On Wednesday 27 June 2007 11:24, Timothy Clemans wrote:
> The turning off net access all together for notebook is users is not a
> good idea, because there is database stuff in SAGE that uses web sites
> such as Sloane's database. There is a lot of detection software out
> there, so I don't think
After some deliberation I think that the issues I pointed out
in my last mail have not much
to do with the notebook but rather with the implementation of
the chroot jail. The only genuine issue is that the notebook server
should not create world readable files.
And if I read Timothy's code correc
Someone or something just broke SAGE Notebook 8102. I'm getting
"Internal Server Error" on all worksheets in multiple accounts expect
for the public ones. I've been up all trying to end the game for all
the other sage unix users.
On 6/27/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:
> The turnin
The turning off net access all together for notebook is users is not a
good idea, because there is database stuff in SAGE that uses web sites
such as Sloane's database. There is a lot of detection software out
there, so I don't think net access needs to be stopped altogether.
On 6/27/07, Michel <
So far everything looks good. For serious testing one would need the
source
of the notebook.
Here are some points.
(1) Practically the whole (chroot)filesystem seems to be readable for
the notebook users.
(a) I could even read a backup file of /etc/shadow (/etc/shadow-).
(b) I could look at oth
I changed my code to the following and got no errors just 0 on one
line then 5 then 0 then 5:
import re
import pexpect
import os
for h in range(1,31):
pipe = os.popen('{ ' + 'whoami' + '; } 2>&1', 'r')
m = pipe.read()
sts = pipe.close()
if str(h) != m:
child = pexpect.spawn('su
I tried killing all the other SAGE processes.
import re
import pexpect
import os
for h in range(1,31):
if h != 19:
child = pexpect.spawn('su sage%d' % h)
child.expect('Password:')
child.sendline('sage')
pipe = os.popen('{ ' + 'ps' + '; } 2>&1', 'r')
g =
So the notebook processes are executing the actual sage commands?
What is then the "notebook server"?. Is it just the webserver?
This seems indeed quite secure provided the server never executes code
somehow
under control of the user.
Note: I still think notebook processes should be restarted
au
On 6/27/07, Michel <[EMAIL PROTECTED]> wrote:
> Doing
>
> sage: import os
> sage: os.system('whoami')
> sage10
> sage: os.system("kill -9 `ps -u sage10 -o pid=`")
>
> still seemed to throw me out.
>
> Connection to localhost closed by remote host.
> Connection to localhost closed.
>
> Is that expe
Doing
sage: import os
sage: os.system('whoami')
sage10
sage: os.system("kill -9 `ps -u sage10 -o pid=`")
still seemed to throw me out.
Connection to localhost closed by remote host.
Connection to localhost closed.
Is that expected? Logging out and in again did not seem to restore
my connection
Hi,
SUMMARY: I've made the public SAGE notebook servers
nontrivial to seriously vandalize or kill... I hope. Try to
crack them (especially https://sage.math.washington.edu:8102).
DETAILS:
For the first time in history I've finally setup a first
not totally-insanely-trivial-to-vandalize server
That is not an example of XSS in the notebook. That's an example of you
passing garbage into the notebook, and getting garbage back. XSS is where
Martin puts malicious javascript into a published worksheet, and steals all
your cookies. This is a known vulnerability. Keep looking... and mayb
An example of XSS in the notebook is that someone could make an
account name that has html and javascript (I know this works with my
copy of the notebook) and then just publish worksheets. For example on
a local notebook I made an account called mark and then
forced a failed login page for invalid
Hi,
I am getting some funny errors now on the new notebook. In fact, the
first thing I tried failed, defining the following ring:
R7grev. = MPolynomialRing(QQ,7,order =
"degrevlex")
gives the errors:
./t: line 2: syntax error near unexpected token `('
./t: line 2: `R7grev. =
MPolynomialRing(Q
Hi,
I fixed a number of issues with the notebook (see changelog below) and
just made the changed version live. If you're closing following this thread,
please let me know if anything seems seriously broken as a result (I'm suffering
from the lack of a unit testing framework for the notebook -- h
> In fact, I would much prefer choosing a 3rd party project for indexing
> html docs and including it in SAGE to writing our own, since maintenance
> will be easier, and the quality will steadily improve with no work on
> our part. Any ideas or suggestions??
I agree. I won't volunteer for this
On 6/25/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> > No plans. Could you make some plans?
> >
> > This is only an issue when the notebook users are completely random
> > and open. I believe that in the long run most
> > notebook usage will be by users who are trusted and have specifically
> > Some very minor issues, IMHO:
> > * I assume 4.0 is the highest rating? As I start counting at zero I would
> > like to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is
> > something, 0.0 is crap.
>
> I can add that. I was thinking of also adding a comment field, so you can
> explai
On 6/25/07, Martin Albrecht <[EMAIL PROTECTED]> wrote:
> first of all: The new notebook is just amazing, congratulations to everybody
> involved, it rocks.
>
> Some very minor issues, IMHO:
> * I assume 4.0 is the highest rating? As I start counting at zero I would like
> to rate a notebook with 0
On 6/23/07, Nick Alexander <[EMAIL PROTECTED]> wrote:
> > Maybe. Alex Clemesha wrote a serious doc search thing that
> > he showed me once, but he hasn't integrated it into SAGE yet.
> > I was getting impatient so I spent exactly one hour to write
> > the current "search_doc" function, since it's
Hi there,
first of all: The new notebook is just amazing, congratulations to everybody
involved, it rocks.
Some very minor issues, IMHO:
* I assume 4.0 is the highest rating? As I start counting at zero I would like
to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is something, 0.0
>> - Can the output of search_doc be prettified? title of page/section
>> rather than the filename, perhaps? You may need some logic/conventions
>> to find a sensible title for every page.
>
> Maybe. Alex Clemesha wrote a serious doc search thing that
> he showed me once, but he hasn't integrate
Hamptonio <[EMAIL PROTECTED]> writes:
> Nils Bruin has addressed most of the points I was going to make, but I
> did notice one minor thing in testing the new notebook - it actually
> effects the old one too:
>
> If you have a comment with a question mark, the question mark gets
> parsed by the h
On Jun 21, 2007, at 10:52 , William Stein wrote:
> I spent the last 3 days synthesizing the ideas from the workshop
> and writing
> a lot of code and have put together the first version of the "SAGE
> Notebook 2".
> I've posted a server running it here:
>
>https://sage.math.washi
It looks nice. Here are some minor things:
Typo: This document was published using SAGE. Browser other published
documents.
Probably "Browser" should be "browse".
There might be a sizing problem for the header bar that appears when
you edit as plain text. It is mostly obscured underneath the p
Nils Bruin has addressed most of the points I was going to make, but I
did notice one minor thing in testing the new notebook - it actually
effects the old one too:
If you have a comment with a question mark, the question mark gets
parsed by the help system. I consider this undesirable behavior.
William wrote:
>I want to use this new notebook server in a class for high school
>students that I'm teaching next week, so I would be very grateful if
>people could try it out and report bugs or points about the design
>that they find very confusing. You can also report features you wish
>were
> > machine. (even on my desktop, other people in the network can log in
> > in principle)
>
> You're right -- anybody could access the notebook even locally.
> That is already a serious security issue. Probably the best thing
> to do is make it so you have to login, but make it very easy
> to hav
On 6/22/07, Nils Bruin <[EMAIL PROTECTED]> wrote:
> Looks great! I assume that the login and account stuff will all be
> configurable in the end.
> Can that be linked into unix authentication and kerberos tickets? I
> guess not.
Yes, in theory, but it's probably not a good idea in practice,
at le
Looks great! I assume that the login and account stuff will all be
configurable in the end.
Can that be linked into unix authentication and kerberos tickets? I
guess not . The browser probably doesn't have access to these things.
It would be nice if I don't have to log in to sage to use it on my o
William Stein wrote:
> Hi,
>
> I spent the last 3 days synthesizing the ideas from the workshop and writing
> a lot of code and have put together the first version of the "SAGE Notebook
> 2".
> I've posted a server running it here:
>
>https://sage.math.washington.edu:8102/
>
> Unle
On 6/22/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:
> > Actually, I was exactly copying what is in Google Documents
> > right now -- if you view a document -- I even use the same
> > font and color.
>
> My suggestion would make the two look even similar. Simply take the SAGE
> logo and add the
I logged in as 00998 on another machine and went to the help page and see
that too and I too can not go to my worksheet list by clicking on home at
the top.
On 6/21/07, Michel <[EMAIL PROTECTED]> wrote:
>
>
> The new notebook looks very good.
>
> Here is another quirk. I pressed "help" in a worksh
The new notebook looks very good.
Here is another quirk. I pressed "help" in a worksheet and as expected
got to the help page. However my name was given as "Timoty Clemans"!
More importantly it is quite unclear to me how to go back from the
help
page to the worksheet!
Michel
On Jun 22, 7:51 a
I often select the content of a cell and press backspace to delete it.
In the new notebook it seem to throw me out of the notebook
(it sometimes works though). Quite bizarre.
This is firefox 1.0.4 on FC4.
Michel
On Jun 22, 5:36 am, "William Stein" <[EMAIL PROTECTED]> wrote:
> On 6/21/07, Crai
On 6/21/07, Craig Citro <[EMAIL PROTECTED]> wrote:
>
> > I spent the last 3 days synthesizing the ideas from the workshop
> > and writing
> > a lot of code and have put together the first version of the "SAGE
> > Notebook 2".
> > I've posted a server running it here:
> >
> >https://sag
On 6/21/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:
> In Firefox in Windows I keep getting signed out and can't do much. This is
> not a problem for me with other web sites such as Gmail.
This is probably a cookies issue. I should emphasize that I did
no testing yet of the new notebook in any
On 6/21/07, Jason Grout <[EMAIL PROTECTED]> wrote:
> Here's something that I found confusing. It seems that in most of the
> interface, there are three dropdowns in the upper left corner. The
> first seems to be actions about the worksheet, the second for commands
> to sage, and the third specif
On 6/21/07, Jason Grout <[EMAIL PROTECTED]> wrote:
> I logged in, created a few things in a worksheet, and hit the Revisions
> button. It showed "Revision 0 (Last Edited 2 minutes ago)". I clicked
> on the "Revision 0" link and got an error page with the address:
> https://sage.math.washington.e
On 6/21/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:
> Overall Notebook 2 is very nice. Sorry about the collaboration thing; Michel
> killed the process before I could find out how to use it.
>
> Some thoughts
> * SAGE logo and text "Mathematics Software" should be replaced with one
> image that
On Jun 21, 2007, at 7:42 PM, Craig Citro wrote:
>
>> I spent the last 3 days synthesizing the ideas from the workshop
>> and writing
>> a lot of code and have put together the first version of the "SAGE
>> Notebook 2".
>> I've posted a server running it here:
>>
>>https://sage.math.w
> I spent the last 3 days synthesizing the ideas from the workshop
> and writing
> a lot of code and have put together the first version of the "SAGE
> Notebook 2".
> I've posted a server running it here:
>
>https://sage.math.washington.edu:8102/
>
> Unless anybody *else* wants to
In Firefox in Windows I keep getting signed out and can't do much. This is
not a problem for me with other web sites such as Gmail.
On 6/21/07, Jason Grout <[EMAIL PROTECTED]> wrote:
>
>
> William Stein wrote:
> > Hi,
> >
> > I spent the last 3 days synthesizing the ideas from the workshop and
> w
William Stein wrote:
> Hi,
>
> I spent the last 3 days synthesizing the ideas from the workshop and writing
> a lot of code and have put together the first version of the "SAGE Notebook
> 2".
> I've posted a server running it here:
>
>https://sage.math.washington.edu:8102/
>
> Unle
William Stein wrote:
> Hi,
>
> I spent the last 3 days synthesizing the ideas from the workshop and writing
> a lot of code and have put together the first version of the "SAGE Notebook
> 2".
> I've posted a server running it here:
>
>https://sage.math.washington.edu:8102/
>
> Unle
On 6/21/07, Michel <[EMAIL PROTECTED]> wrote:
>
> The following command seemed to kill the notebook process.
>
> os.system("kill -9 `ps -u server4 -o pid=`")
>
> I was unable to log in afterwards. Shouldn't the notebook process
> be restarted automatically?
To reiterate:
I implemented a multi
Sorry,
Didn't read the note. I guess I hadn't understood that notebook
processes running under a different user and ssh had anything
to do with each other. I hope the new security model gets
turned on soon!
Michel
On Jun 21, 10:56 pm, "Timothy Clemans" <[EMAIL PROTECTED]>
wrote:
> This is very
This is very nice William. There seems to be a lot of functionality already.
Does collaboration work already? I'm very impressed that email verification
works. It would be nice if the jsMath font warning were less disturbing (see
http://www.math.union.edu/~dpvc/jsMath/authors/warnings.html). Do you
What the hell! "Important note -- I implemented a secure separate process
model for
the notebook. Unfortunately, ssh doesn't work at all in the chroot jail
that the server runs in (Bobby -- why!? -- just create two new accounts
with dumb passwords -- it isn't possible to ssh from one to the other
The following command seemed to kill the notebook process.
os.system("kill -9 `ps -u server4 -o pid=`")
I was unable to log in afterwards. Shouldn't the notebook process
be restarted automatically?
Regards,
Michel
--~--~-~--~~~---~--~~
To post to this group,
I was stupidly trying to use the login page to register.
Do you think it is worth adding the words "register", as in
"New users: Click here to register for the SAGE Notebook" (instead
of "Sign up for the SAGE Notebook")?
+
On 6/21/07, William Stein <[EMAIL PROTECTED]>
On 6/21/07, David Joyner <[EMAIL PROTECTED]> wrote:
>
> How does one register to use it? Or does our sage.math login
> and password work?
>
It's simple -- like most online sites. Just click on the big
link that says "Sign up for the SAGE Notebook"
on the right hand side of the login screen. The
How does one register to use it? Or does our sage.math login
and password work?
On 6/21/07, William Stein <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I spent the last 3 days synthesizing the ideas from the workshop and writing
> a lot of code and have put together the first version of the "SAGE Note
64 matches
Mail list logo
