[IPython-dev] Security

Matthias BUSSONNIER bussonniermatthias at gmail.com
Thu Sep 19 04:40:59 EDT 2013 

Le 19 sept. 2013 à 09:56, Phil Elson a écrit :

> Thanks for sharing how sagemath has done it. I'm also aware of https://github.com/cni/ipython-hydra which authenticates IPython sessions via LDAP.
> 
> I've been pondering how to go about setting up an enterprise installation of IPython notebooks for 300+ internal scientific users with each of their desktops hosting a single instance accessible by just one user (i.e. no collaboration at this stage) available only on the internal network.


> For me, the LDAP approach looks like the way to go, but there are other security concerns (such as the automatic execution of Python from html at notebook open time) which also make me a little nervous.

Yes we are aware of this one.
Right now, the displayed javascript (in output) is not executed at loaded time, but only if user execute the cell. 
Still you are right that js script can be embedded in script tags in html. 
Right now lots of code **rely** on this, and we need to develop js-plugin architecture *before* sanitizing the html. 
But it will be done.

> My problem is that for the notebook to be of any value to the users I support, it needs to be running on their desktops, which by its very nature isn't as throwaway as a garden walled VM.

Usually I would suggest to setup locally a service close to nbviewer
http://nbviewer.ipython.org/
We will build it as part of IPython soon, it allows to view notebooks without executing them.

You also have the possibility to launch kernels in LXC or any other kind of jail.
Also keep in mind that notebook are meant to be executed, so one you have passed the need to view a static 
version of IPynb, I'm not sure the danger of .ipynb file is much greater than any other script files that scientist usually 
get and run without asking any questions. 
Nothing prevent me to send a "forged" python script that os.remove('/').

For the small story, the bigger security issue we have in my lab is people searching on google 
   webmail <name of our lab>
Fist link is often a classical "Outlook Home page"…where they enter their username and password.
I let you guess the rest.


> Anyone else have any experience of configuring up a similar setup?

> Did you harden the notebook against malicious ipynb creators?
Displayed Js is not executed at load time.
We will sanitize html.
We are working on having a json-validator that will refuse to send the json to the browser if it does not respect 
a json scheme.

> Thanks for any insight.

Even if you jail the kernel, I would be carefull also if the notebook is hosted on a domain where user are authentified.
(like wakari) as malicious code can try to access other resources of this domain.


-- 
Matthias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20130919/aecb54ed/attachment.html>

More information about the IPython-dev mailing list