Python os.system command

Python os.system command

by Yves Capdeboscq -
Number of replies: 2

Hello,

Just for fun, I have tested a python question, and in the answer question I wrote

import os

system.os("uname -a")

and then clicked on verify

and in the answer question, sure enough, the result of the command appeared.

Now what if a sudo command was asked an a test for a password was introduced somehow?

Am i just unduly worried, this is impossible?

In reply to Yves Capdeboscq

Re: Python os.system command

by Richard Lobb -
I'd say you were unduly worried, yes. All task son the Jobe server run as one of the users jobe00 through (typically) jobe07. These users certainly do not have sudo rights (they are not in the sudoers file). Yes, they can execute commands in the Linux shell via os.system or the like, but they can't do anything that a typical Linux user can't. In fact, they are much more restricted: no home directory, a maximum run time of (typically) 5 - 10 secs per run, a limited number of processes, limited memory use, limited output. They can write files only in the termporary directory created for the job run.

I would certainly not claim the system is 100% secure - no system is - but there are over two thousand institutions running CodeRunner + Jobe and no-one has ever reported a major security breach on Jobe in the several years it has been in use.

But utlimately it's your call, or your institution's, as to whether you want to use CodeRunner + Jobe. It's fee open source software that comes with no guarantees or promises :-)
In reply to Richard Lobb

Re: Python os.system command

by Yves Capdeboscq -
Thank you very much for taking the time to answer, this is very reassuring.