I'm sure this is possible. For example, it would be trivial to write a
worksheet that does 'rm -rf $HOME' inside an autoexecute cell. If that
worksheet was downloaded and opened on a user's local computer, it would
be very bad.
>
> As worksheets may contain hidden information, can be automatically
> executed, and cannot be read as a simple text file, all this raises
> grave security concerns.
One thing we should provide is an "open and don't execute any %auto
cells". I think that should allow you to inspect the code before
running it. Great idea. In fact, when a worksheet is uploaded, it
probably should have a 'don't execute' bit set. Before any cells are
executed, a warning box is popped up, like happens in OSX, for example,
telling the user that it is a new worksheet and are they sure they want
to execute things from it.
Can you file a google issue for this on the sage notebook code site?
Jason
Nope. If someone is running a worksheet on their personal Sage install,
it runs as themselves. Notice I didn't type "sudo" in the command
above. All I'm doing is deleting the entire home directory.
You *should* be wary of downloading untrusted worksheets and executing
them on your personal Sage install. You're executing arbitrary code
from untrusted sources.
Apparently we should implement this "don't execute uploaded worksheets
by default" and advertise this warning better.
Thanks,
Jason