Main Content

Security Considerations to Protect User Sessions in MATLAB Online Server

When your users sign in to MATLAB® Online™ from a browser, MATLAB Online Server™ configures the folder permissions in the MATLAB pod they are using so that users can access their data right away. To configure these permissions, MATLAB Online Server must send user information into the MATLAB pods, which requires that containers in those pods run with elevated privileges. While these containers run with elevated privileges, MATLAB Online Server takes several steps to protect the MATLAB sessions of users.

Restricted Capabilities for Privileged Containers

Each MATLAB pod contains two containers:

  • The Resource-Proxy container mounts the user’s storage, sets file permissions, and sends requests to MATLAB.

  • The MATLAB container runs MATLAB.

Both containers require elevated privileges. To protect the MATLAB session data of users while running these containers, MATLAB Online Server performs the following actions:

  1. Drops all capabilities from the containers, then adds back only the minimum capabilities required to configure folder permissions for users.

  2. Limits the elevated privileges to the containers and does not propagate them to the user's MATLAB session.

  3. Runs the containers from dedicated accounts instead of as the root user. This table shows the account details for these containers and the limited set of capabilities they can perform.

    Resource-Proxy Container AccountMATLAB Container Account
    • User ID – 1000600903

    • Group ID – 1000600715

    • Capabilities:

      • AUDIT_WRITE

      • CHOWN

      • DAC_OVERRIDE

      • FSETID

      • KILL

      • NET_RAW

      • SETGID

      • SETUID

      • SYS_ADMIN

    • User ID – 1000600903

    • Group ID – 1000600715

    • Capabilities:

      • CHOWN

      • DAC_OVERRIDE

      • FSETID

Additional Actions to Protect User Sessions

To protect the MATLAB sessions of your users, MATLAB Online Server also does the following:

  • By default, the server enables these Linux® kernel security modules:

    • seccomp (secure computing mode) — Restricts the system calls that services can make

    • AppArmor — Restricts the capabilities of specific services by account profile (Ubuntu® only)

  • The server enforces network policies and restricts the communication between the MATLAB pods and other pods running in MATLAB Online Server.

In addition, before releasing server upgrades, MathWorks® scans for security vulnerabilities in the base images that are used to run the server and updates the server to address vulnerabilities discovered.

To further protect MATLAB sessions, you can set memory and CPU limits on the MATLAB pods. For details, see Configure MATLAB Hardware Resources.

Related Topics