[IPython-dev] Security

Jason Grout jason-sage@creativetrax....
Tue Apr 10 15:02:13 CDT 2012


Hi everyone,

I just want to confirm that I'm analyzing things correctly with regards 
to security in the IPython (and zmq) infrastructure.  I've read 
http://ipython.org/ipython-doc/dev/parallel/parallel_security.html 
(which notes that is not thorough and pyzmq needs a security audit) and 
http://ipython.org/ipython-doc/dev/parallel/parallel_intro.html#security. 
My aim is to have a client on one computer and a hub and engine on 
another computer, with the messages flowing between them as securely as 
if I had the client ssh into the hub/engine computer, run python, and 
captured the stdout.  In particular, I want to prevent other users on 
either the client or the hub/engine machine from seeing messages or 
inserting their own messages, at least to the level of protection that 
ssh or filesystem permission controls provide (I trust those).  And I'm 
remembering the old adage that if I'm hand-implementing the security, 
I'm doing it wrong.

As I understand it now (am I assessing the situation correctly?), I can 
use ssh to tunnel the messages from the client computer to the engine 
computer.  From there, the messages are transmitted over tcp via the 
loopback to the hub, and then again over tcp via the loopback to the 
engine.  Well, in reality, the message may not actually go through the 
entire tcp stack since the loopback interface can be optimized on the OS 
level.  IPython has implemented some controls for rejecting messages 
that are not signed with specific authentication credentials, so if I 
securely transmit and store the credentials (using ssh and filesystem 
permissions), things *should* be okay as long as the loopback interface 
is not compromised.  However, the loopback interface still allows 
connections from anyone on the local computer to any port, and the hub 
and engines still take up ports on the server.  So if an untrusted user 
exploited a bug in the signing mechanism, or wanted to do some sort of 
DNS attack, that would be possible.

Is it possible to instead have the messages go over unix domain sockets 
(via the zmq ipc transport), which could then be protected using 
filesystem permissions?  In that scenario, the client could have an ssh 
tunnel to the hub/engine machine, then connect via IPC to the hub.  The 
unix domain socket address would be protected by necessary filesystem 
controls so that untrusted users on the hub/engine machine couldn't even 
connect to the hub.  In fact, if the client, hub, and engine were all 
running on the same computer as the same user, the socket could be set 
to have no permissions for other users, providing a secure message 
pathway.  Am I thinking of things correctly?  Using these sockets seems 
to take one potential worry out (any user being able to connect to the 
hub or engine).

Thanks,

Jason


More information about the IPython-dev mailing list