[IPython-dev] Security
Jason Grout
jason-sage at creativetrax.com
Tue Apr 10 16:02:13 EDT 2012
Hi everyone,
I just want to confirm that I'm analyzing things correctly with regards
to security in the IPython (and zmq) infrastructure. I've read
http://ipython.org/ipython-doc/dev/parallel/parallel_security.html
(which notes that is not thorough and pyzmq needs a security audit) and
http://ipython.org/ipython-doc/dev/parallel/parallel_intro.html#security.
My aim is to have a client on one computer and a hub and engine on
another computer, with the messages flowing between them as securely as
if I had the client ssh into the hub/engine computer, run python, and
captured the stdout. In particular, I want to prevent other users on
either the client or the hub/engine machine from seeing messages or
inserting their own messages, at least to the level of protection that
ssh or filesystem permission controls provide (I trust those). And I'm
remembering the old adage that if I'm hand-implementing the security,
I'm doing it wrong.
As I understand it now (am I assessing the situation correctly?), I can
use ssh to tunnel the messages from the client computer to the engine
computer. From there, the messages are transmitted over tcp via the
loopback to the hub, and then again over tcp via the loopback to the
engine. Well, in reality, the message may not actually go through the
entire tcp stack since the loopback interface can be optimized on the OS
level. IPython has implemented some controls for rejecting messages
that are not signed with specific authentication credentials, so if I
securely transmit and store the credentials (using ssh and filesystem
permissions), things *should* be okay as long as the loopback interface
is not compromised. However, the loopback interface still allows
connections from anyone on the local computer to any port, and the hub
and engines still take up ports on the server. So if an untrusted user
exploited a bug in the signing mechanism, or wanted to do some sort of
DNS attack, that would be possible.
Is it possible to instead have the messages go over unix domain sockets
(via the zmq ipc transport), which could then be protected using
filesystem permissions? In that scenario, the client could have an ssh
tunnel to the hub/engine machine, then connect via IPC to the hub. The
unix domain socket address would be protected by necessary filesystem
controls so that untrusted users on the hub/engine machine couldn't even
connect to the hub. In fact, if the client, hub, and engine were all
running on the same computer as the same user, the socket could be set
to have no permissions for other users, providing a secure message
pathway. Am I thinking of things correctly? Using these sockets seems
to take one potential worry out (any user being able to connect to the
hub or engine).
Thanks,
Jason
More information about the IPython-dev
mailing list