How to restrict command in Jupyter Terminal

[sachinkaushik]

Hi Team,

This is not bug/issue. I just need your support, Is there any way to restrict command in Jupyter terminal. ?

I have a running rootles container. I have podman and jupyter lab installed in this container. Now using Jupyter Terminal, User can create container image using podman. We have a requirement to restrict few commands like podman run from that jupyter terminal.

Is there any possibilities we can do it through some jupyter configuration?

Below is example :

Thank you in advance...!!!

Thanks,
Sachin

[kevin-bates]

Hi @sachinkaushik. The only ability to configure terminals is via the NotebookApp.terminado_settings trait, which is a dictionary of key/value pairs. And the only "key" recognized by Notebook is shell_command. As a result, you could look into using a restricted shell (the default value is 'sh'), but I suspect you'd find that too restrictive. In addition, it would still likely require you to move the installation location of podman and other commands you'd like to prevent.

Since you're running within a containerized environment, your best approach may be to partition the commands within your container such that restricted commands are in locations that are unavailable to the user-set you wish to restrict and approach this from the unix permissions standpoint. I think you'd need to do some of this anyway if you took the restricted shell approach.

I suppose you could also try to roll your own shell that merely filters a list of restricted commands before deferring to the regular shell. Not sure if that would be viable for you and it might be difficult to bulletproof depending on your requirements.

Perhaps others have more ideas on how this could be addressed?