On 03/10/11 09:38 AM, Leo Butler wrote:
>
>
> On Thu, 10 Mar 2011, Jos? Manuel Mira wrote:
>
> < Hello everyone
> <
> < I have the project to put maxima on my page in order to my students use it
> < from a web interface. But, I need to disable the command system of maxima,
> < which gives access to execute commands in the system. I have not found
> < documentation on the subject.
> <
> < Any suggestions?
>
> Hello,
> This is a very sticky problem, I think.
> A Maxima shell permits restricted access
> to the underlying Lisp, which has some
> 'system' call. So I don't think that
> disabling commands but enabling access to
> a Maxima shell is a good idea -- at best
> you have a false sense of security.
>
> As I see it, you have three alternatives:
> -provide an interface that allows only
> access to a limited command set (this
> has problems, because Maxima evaluates its
> function arguments, so you are back in the
> situation above unless you turn off
> more stuff...);
> -allow full access to a Maxima shell but run
> the shell under very restrictive conditions.
> For example, you could run your webserver and
> Maxima inside a virtual machine.
> -use the Sage web interface, which gives you
> access to Maxima.
Using Sage would not solve the problem - that too has the ability to escape to
the python shell.
For the web interface to Sage at
http://t2nb.math.washington.edu:8080/
that is run in a Solaris zone. Even if one escapes to a shell, and uses a hack
to get root access, you still can't do anything outside the zone.
FreeBSD has jails, which like Solaris zones were designed for security.
I'm not sure how secure virtual machines are. Unlike FreeBSD jails and Solaris
zones, they are not designed with security in mind, though I suspect they do
create a big barrier for hackers.
Of course, if Unix file permissions are set correct, this can help a lot.
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Dave