Security Considerations to Protect User Sessions in MATLAB Online Server
When your users sign in to MATLAB® Online™ from a browser, MATLAB Online Server™ configures the folder permissions in the MATLAB pod they are using so that users can access their data right away. To configure these permissions, MATLAB Online Server must send user information into the MATLAB pods, which requires that containers in those pods run with elevated privileges. While these containers run with elevated privileges, MATLAB Online Server takes several steps to protect the MATLAB sessions of users.
Restricted Capabilities for Privileged Containers
Each MATLAB pod contains two containers:
The
Resource-Proxycontainer mounts the user’s storage, sets file permissions, and sends requests to MATLAB.The
MATLABcontainer runs MATLAB.
Both containers require elevated privileges. To protect the MATLAB session data of users while running these containers, MATLAB Online Server performs the following actions:
Drops all capabilities from the containers, then adds back only the minimum capabilities required to configure folder permissions for users.
Limits the elevated privileges to the containers and does not propagate them to the user's MATLAB session.
Runs the containers from dedicated accounts instead of as the root user. This table shows the account details for these containers and the limited set of capabilities they can perform.
Resource-ProxyContainer AccountMATLABContainer AccountUser ID – 1000600903
Group ID – 1000600715
Capabilities:
AUDIT_WRITECHOWNDAC_OVERRIDEFSETIDKILLNET_RAWSETGIDSETUIDSYS_ADMIN
User ID – 1000600903
Group ID – 1000600715
Capabilities:
CHOWNDAC_OVERRIDEFSETID
Additional Actions to Protect User Sessions
To protect the MATLAB sessions of your users, MATLAB Online Server also does the following:
By default, the server enables these Linux® kernel security modules:
seccomp(secure computing mode) — Restricts the system calls that services can makeAppArmor— Restricts the capabilities of specific services by account profile (Ubuntu® only)
The server enforces network policies and restricts the communication between the MATLAB pods and other pods running in MATLAB Online Server.
In addition, before releasing server upgrades, MathWorks® scans for security vulnerabilities in the base images that are used to run the server and updates the server to address vulnerabilities discovered.
To further protect MATLAB sessions, you can set memory and CPU limits on the MATLAB pods. For details, see Configure MATLAB Hardware Resources.
Related Topics
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)