Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't create home publicly readable #169

Merged
merged 2 commits into from
Sep 3, 2018
Merged

Don't create home publicly readable #169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
552db9f
Don't create home publicly readable
Carreau Aug 29, 2018
5bbba2b
add test
Carreau Sep 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/topic/security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ permissions.

#. A home directory is created for the user under ``/home/jupyter-<username>``.

#. The default permission of the home directory is change with ``o-rwx`` (remove
non-group members the ability to read, write or list files and folders in the
Home directory).

#. No password is set for this unix system user by default. The password used
to log in to JupyterHub (if using an authenticator that requires a password)
is not related to the unix user's password in any form.
Expand Down
13 changes: 11 additions & 2 deletions tests/test_user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
"""
from tljh import user
import os
import os.path
import stat
import uuid
import pwd
import grp
Expand All @@ -23,9 +25,16 @@ def test_ensure_user():
# Create user!
user.ensure_user(username)
# This raises exception if user doesn't exist
ent = pwd.getpwnam(username)
entry = pwd.getpwnam(username)
# Home directory must also exist
assert os.path.exists(ent.pw_dir)
home_dir = entry.pw_dir
assert os.path.exists(home_dir)
# Ensure not word readable/writable especially in teaching context
homedir_stats = os.stat(home_dir).st_mode
assert not (homedir_stats & stat.S_IROTH), "Everyone should not be able to read users home directory"
assert not (homedir_stats & stat.S_IWOTH), "Everyone should not be able to write users home directory"
assert not (homedir_stats & stat.S_IXOTH), "Everyone should not be able to list what is in users home directory"

# Run ensure_user again, should be a noop
user.ensure_user(username)
# User still exists, after our second ensure_user call
Expand Down
7 changes: 7 additions & 0 deletions tljh/user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import pwd
import grp
import subprocess
from os.path import expanduser


def ensure_user(username):
Expand All @@ -27,6 +28,12 @@ def ensure_user(username):
username
])

subprocess.check_call([
'chmod',
'o-rwx',
expanduser('~{username}'.format(username=username))
])


def remove_user(username):
"""
Expand Down