Ask Your Question
4

Overview of security and memory management?

asked 2012-01-23 04:10:48 -0500

stef gravatar image

Hi all,

I've been looking around the documentation for an explanation of how Sage is able to sandbox user code to prevent unauthorized access to the system the platform is being hosted on. Given that Sage Notebook is deployed in production on a public server, how does the platform isolate user environments/worksheets? Furthermore, how does Sage manage memory on a per-worksheet basis?

I'd appreciate any insight from those who have deployed Sage in a production environment, either internal or external to an organization. +5 pts if you have a sys admin background!

Thanks!

(For what it's worth, I've been going through the thesis titled "Securing the Sage Notebook", but I'd also like some more practical input. I'll be scrounging through the dev discussion threads for an answer as well and will follow up if I come across any good explanations.)

edit retag flag offensive close merge delete

Comments

I think this is a very interesting question. Setting up a secure sage server seemed always like an advanced sysadmin task to me, especially since the OS commands are available via python. So I figured the best setup would be a preconfigured Virtual Machine which includes such a server. Using the wikki instructions from Jason Grout I created such an image, but I am still not sure about the security implications (e.g. in a school network) - Info & Download of the Server image: http://boxen.math.washington.edu/home/emil/doc/html/en/relase-notes-slvms-b.htm.htm - Maybe you can use the VM image for some practical experiments ...

Emil Widmann gravatar imageEmil Widmann ( 2012-01-24 10:51:59 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
3

answered 2012-01-23 06:33:04 -0500

Jason Grout gravatar image

updated 2012-01-23 06:33:43 -0500

A few answers:

A new copy of Sage is started up for each worksheet process. Code to be executed is copied to a temporary directory and can be executed as a very non-privileged user (using the server_pool option in starting up the notebook). Standard OS ulimit functions can be used to limit memory or other resources per worksheet.

You might look at http://wiki.sagemath.org/SageServer for one set of instructions about deploying Sage. Also look in the documentation for the notebook() command for other security options.

edit flag offensive delete link more

Comments

Thanks for the insight!

stef gravatar imagestef ( 2012-01-23 07:56:31 -0500 )edit
1

answered 2012-01-23 23:14:04 -0500

joro gravatar image

sagenb.org has strange permissions at least in /tmp

In a notebook on sagenb.org:

os.system("id")
uid=1168(sagenbws) gid=1168(sagenbws) groups=1168(sagenbws)
os.system("cat /tmp/tmpzxlnwt/___code___.py") #someone's code
os.system("find /tmp type -type f -user sagenbws   -ls 2>/dev/null") #sagenbws is us
1615059    4 -rw-r--r--   1 sagenbws sagenbws      568 Dec  5 13:32 /tmp/tmp0uWxta/___code___.py
 ...
WARNING: Output truncated!

Since system commands are supported one can use the notebook as a proxy or send email.

If one starts the notebook from sage via notebook() the user id is the user running sage so anyone who can login to the notebook in this case can execute system commands as the user running sage (by default creating accounts appears disabled to me in this case).

edit flag offensive delete link more

Comments

Just to clarify, you are making two points there: (1) the sagenbws user on sagenb.org is used to execute all notebook commands, so you could mess with someone else's currently executing code since you have the correct OS permissions. (2) by default, without using the server_pool option, on your own computer, sage runs any notebook command as a subprocess, so it will effectively run as the userid of the sage process.

Jason Grout gravatar imageJason Grout ( 2012-01-24 01:16:06 -0500 )edit

@Jason yes. I suppose a malicious user can rm/modify a lot of the code of other users on sagenb.org

joro gravatar imagejoro ( 2012-01-24 01:49:14 -0500 )edit

First, note that the damage is limited to currently running worksheets. What if we had a /tmp/sagenotebook/ directory that was *not* readable by sagenbws, and all sage calculations were done inside /tmp/sagenotebook/tmpzxlnwt (or some other random temporary directory). Then notebook users would not be able to list other user's temp directories, making it much harder for them to find them.

Jason Grout gravatar imageJason Grout ( 2012-01-24 03:51:52 -0500 )edit

@Jason are you comfortable if a group of malicious users allow **no other running running worksheets**? I suppose this is trivially to implement on current sagenb.org. "What if ...???" wtf do you mean, is this currently implemented?

joro gravatar imagejoro ( 2012-01-24 06:21:26 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2012-01-23 04:10:48 -0500

Seen: 713 times

Last updated: Jan 23 '12