Opened 11 years ago

Closed 7 years ago

#12902 closed defect (wontfix)

Security in Notebook

Reported by: Jorge Catumba Owned by: jason, mpatel, was
Priority: trivial Milestone: sage-duplicate/invalid/wontfix
Component: notebook Keywords: security
Cc: Volker Braun Merged in:
Authors: Reviewers: Jeroen Demeyer
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Status badges

Description

Hi, recently I'm writing a web interface to use Matlab on a server and I've realized the security issues on that kind of project. By curiosity I executed the command

unix('ls -al')

in the Sage Notebook at http://www.sagenb.org using the optional Scilab and I could see all files not only in the current directory but in the whole machine. This worries me because is a serious security breach.

Regards

Attachments (1)

sage.png (138.8 KB) - added by Jorge Catumba 11 years ago.
Screencap of the probleam

Download all attachments as: .zip

Change History (5)

Changed 11 years ago by Jorge Catumba

Attachment: sage.png added

Screencap of the probleam

comment:1 Changed 11 years ago by Nils Bruin

Milestone: sage-5.1sage-duplicate/invalid/wontfix
Priority: criticaltrivial

It's a feature (on sagenb.org):

%sh
whoami
pwd
echo $HOME
/tmp/tmpaHCfFv
sagenbws
/tmp/tmpaHCfFv
/sagenb/sagenbws

It is important to realize that once someone logs in to a sage notebook server, the person essentially has shell access to the machine, with the permissions associated to the UID that is configured to run the worker process for the worksheet. It is up to the notebook administrator to use the standard unix permission management tool to lock down that UID to a degree acceptable for the purpose.

It's tricky to do this correctly, because exposing shell access to a machine provides such a large attack surface that it is difficult to protect it appropriately. One way to mitigate the problem is by running the worker processes in a dedicated virtual machine. That contains the consequences a bit:

http://wiki.sagemath.org/SageAppliance

Setting up servers:

http://wiki.sagemath.org/DanDrake/JustEnoughSageServer

http://wiki.sagemath.org/SageServer

If you don't trust people accessing your machine, don't run a notebook server on it that gives them access.

If your web interface is going to be globally accessible, I suspect that running it will not be in accordance with your Matlab license, by the way.

comment:2 Changed 7 years ago by Jori Mäntysalo

Cc: Volker Braun added
Status: newneeds_review

Volker, I suppose that this can be closed as wontfix.

comment:3 Changed 7 years ago by Jeroen Demeyer

Reviewers: Jeroen Demeyer
Status: needs_reviewpositive_review

If you don't want other people to access your machine, don't use sagenb.

comment:4 Changed 7 years ago by Volker Braun

Resolution: wontfix
Status: positive_reviewclosed
Note: See TracTickets for help on using tickets.