Security in Notebook

[jcatumba]

Hi, recently I'm writing a web interface to use Matlab on a server and I've realized the security issues on that kind of project. By curiosity I executed the command

unix('ls -al')

in the Sage Notebook at http://www.sagenb.org using the optional Scilab and I could see all files not only in the current directory but in the whole machine. This worries me because is a serious security breach.

Regards

[jcatumba]

Screencap of the probleam

[nbruin]

It's a feature (on sagenb.org):

%sh
whoami
pwd
echo $HOME

/tmp/tmpaHCfFv
sagenbws
/tmp/tmpaHCfFv
/sagenb/sagenbws

It is important to realize that once someone logs in to a sage notebook server, the person essentially has shell access to the machine, with the permissions associated to the UID that is configured to run the worker process for the worksheet. It is up to the notebook administrator to use the standard unix permission management tool to lock down that UID to a degree acceptable for the purpose.

It's tricky to do this correctly, because exposing shell access to a machine provides such a large attack surface that it is difficult to protect it appropriately. One way to mitigate the problem is by running the worker processes in a dedicated virtual machine. That contains the consequences a bit:

 http://wiki.sagemath.org/SageAppliance

Setting up servers:

 http://wiki.sagemath.org/DanDrake/JustEnoughSageServer

 http://wiki.sagemath.org/SageServer

If you don't trust people accessing your machine, don't run a notebook server on it that gives them access.

If your web interface is going to be globally accessible, I suspect that running it will not be in accordance with your Matlab license, by the way.