Notebook: How to prevent that users can access cell content of other users?

asked 2014-12-23 15:30:31 +0100

alex gravatar image

I set up a Sage Notebook server which is going to be accessible by multiple users, but I have problems securing it. I am using version 6.4.1.

I invoke the notebook() command with the server_pool=[...] setting, and the $HOME/.sage directory of the user which starts the sage notebook (as well as for the users specified in server_pool) has permissions 700, so it is impossible for users to directly access the worksheets of other users.

However when I do cat /tmp/*/*.py in the notebook (after setting language to "sh" of course), I get some cell contents of other users. Those files in /tmp belong to the main sage user, and have permissions rw-r--r--.

I already tried setting umask to 077 before invoking the sage notebook, but when I do so, the notebook does not work at all (it starts, but all commands I enter in cells seem to take an infinite amount of time).

Is there a way to secure the sage notebook, such that it is impossible for one user to see any part of worksheets of other users?

edit retag flag offensive close merge delete

Comments

I've reported this upstream at https://github.com/sagemath/sagenb/is... Unfortunately, I don't have a good immediate solution.

kcrisman gravatar imagekcrisman ( 2014-12-24 03:48:02 +0100 )edit