docs/topic/security.rst

=======================
Security Considerations
=======================

The Littlest JupyterHub is in beta state & should not be used in security
critical situations. We will try to keep things as secure as possible, but
sometimes trade security for massive gains in convenience. This page contains
information about the security model of The Littlest JupyterHub.

System user accounts
====================

Each JupyterHub user gets their own Unix user account created when they
first start their server. This protects users from each other, gives them a
home directory at a well known location, and allows sharing based on file system
permissions.

#. The unix user account created for a JupyterHub user named ``<username>`` is
   ``jupyter-<username>``. This prefix helps prevent clashes with users that
   already exist - otherwise a user named ``root`` can trivially gain full root
   access to your server. If the username (including the ``jupyter-`` prefix)
   is longer than 26 characters, it is truncated at 26 characters & a 5 charcter
   hash is appeneded to it. This keeps usernames under the linux username limit
   of 32 characters while also reducing chances of collision.

#. A home directory is created for the user under ``/home/jupyter-<username>``.

#. The default permission of the home directory is change with ``o-rwx`` (remove
   non-group members the ability to read, write or list files and folders in the
   Home directory).

#. No password is set for this unix system user by default. The password used
   to log in to JupyterHub (if using an authenticator that requires a password)
   is not related to the unix user's password in any form.

#. All users created by The Littlest JupyterHub are added to the user group
   ``jupyterhub-users``.

``sudo`` access for admins
==========================

JupyterHub admin users are added to the user group ``jupyterhub-admins``,
which is granted complete root access to the whole server with the ``sudo``
command on the terminal. No password required.

This is a **lot** of power, and they can do pretty much anything they want to
the server - look at other people's work, modify it, break the server in cool &
funky ways, etc. This also means **if an admin's credentials are compromised 
(easy to guess password, password re-use, etc) the entire JupyterHub is compromised.**

Off-boarding users securely
===========================

When you delete users from the JupyterHub admin console, their unix user accounts
are **not** removed. This means they might continue to have access to the server
even after you remove them from JupyterHub. Admins should manually remove the user
from the server & archive their home directories as needed. For example, the
following command deletes the unix user associated with the JupyterHub user ``yuvipanda``.

.. code-block:: bash

   sudo userdel jupyter-yuvipanda

If the user removed from the server is an admin, extra care must be taken
since they could have modified the system earlier to continue giving them
access.

Per-user ``/tmp``
=================

``/tmp`` is shared by all users in most computing systems, and this has been
a consistent source of security issues. The Littlest JupyterHub gives each
user their own ephemeral ``/tmp`` using the `PrivateTmp <https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp>`_
feature of systemd.

HTTPS
=====

Any internet-facing JupyterHub should use HTTPS to secure its traffic. For
information on how to use HTTPS with your JupyterHub, see :ref:`howto/admin/https`.
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`=======================`
			`Security Considerations`
			`=======================`

Replace pre-alpha by beta state in documentation According to 3af53522, TLJH is in beta state by now. This commit replaces the other occurrences in the documentation to make it consistent. Also syncs other paragraphs from index.rst to README.rst, see 5374f5ea. 2019-06-24 10:04:53 +02:00			`The Littlest JupyterHub is in beta state & should not be used in security`
			`critical situations. We will try to keep things as secure as possible, but`
			`sometimes trade security for massive gains in convenience. This page contains`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`information about the security model of The Littlest JupyterHub.`

			`System user accounts`
			`====================`

small updates to the docs 2018-07-31 09:38:25 -07:00			`Each JupyterHub user gets their own Unix user account created when they`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`first start their server. This protects users from each other, gives them a`
			`home directory at a well known location, and allows sharing based on file system`
			`permissions.`

			#. The unix user account created for a JupyterHub user named ``<username>`` is
			``jupyter-<username>``. This prefix helps prevent clashes with users that
			already exist - otherwise a user named ``root`` can trivially gain full root
Add docs explaining truncation of username 2018-09-12 16:48:55 -07:00			access to your server. If the username (including the ``jupyter-`` prefix)
			`is longer than 26 characters, it is truncated at 26 characters & a 5 charcter`
			`hash is appeneded to it. This keeps usernames under the linux username limit`
			`of 32 characters while also reducing chances of collision.`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
			#. A home directory is created for the user under ``/home/jupyter-<username>``.

Don't create home publicly readable World-Readable seem to be a surprising default for many people, especially in teaching context. Switch to a more reasonable rwxr-x--- We have to issue a chmod, as changing at creation time would require changin /etc/adduser.conf DIR_MODE=0760 (or whatever), but that seem unwise. We do not set the exact permission in case the DIR_MODE is more restrictive. Closing #158 2018-08-29 11:04:07 -07:00			#. The default permission of the home directory is change with ``o-rwx`` (remove
			`non-group members the ability to read, write or list files and folders in the`
			`Home directory).`

Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`#. No password is set for this unix system user by default. The password used`
			`to log in to JupyterHub (if using an authenticator that requires a password)`
			`is not related to the unix user's password in any form.`

			`#. All users created by The Littlest JupyterHub are added to the user group`
			``jupyterhub-users``.

			``sudo`` access for admins
			`==========================`

			JupyterHub admin users are added to the user group ``jupyterhub-admins``,
			which is granted complete root access to the whole server with the ``sudo``
			`command on the terminal. No password required.`

			`This is a lot of power, and they can do pretty much anything they want to`
			`the server - look at other people's work, modify it, break the server in cool &`
Remove extra space after opening paren 2018-09-11 12:08:31 -07:00			`funky ways, etc. This also means **if an admin's credentials are compromised`
			`(easy to guess password, password re-use, etc) the entire JupyterHub is compromised.**`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
			`Off-boarding users securely`
			`===========================`

			`When you delete users from the JupyterHub admin console, their unix user accounts`
			`are not removed. This means they might continue to have access to the server`
			`even after you remove them from JupyterHub. Admins should manually remove the user`
small updates to the docs 2018-07-31 09:38:25 -07:00			`from the server & archive their home directories as needed. For example, the`
Clarify command for deleting unix system users 2018-08-02 12:03:18 -07:00			following command deletes the unix user associated with the JupyterHub user ``yuvipanda``.
small updates to the docs 2018-07-31 09:38:25 -07:00
Catching up with breakage 2018-08-11 08:25:21 +02:00			`.. code-block:: bash`

Clarify command for deleting unix system users 2018-08-02 12:03:18 -07:00			`sudo userdel jupyter-yuvipanda`
small updates to the docs 2018-07-31 09:38:25 -07:00
Clarify command for deleting unix system users 2018-08-02 12:03:18 -07:00			`If the user removed from the server is an admin, extra care must be taken`
			`since they could have modified the system earlier to continue giving them`
			`access.`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
			Per-user ``/tmp``
			`=================`

			``/tmp`` is shared by all users in most computing systems, and this has been
			`a consistent source of security issues. The Littlest JupyterHub gives each`
			user their own ephemeral ``/tmp`` using the `PrivateTmp <https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp>`_
			`feature of systemd.`

			`HTTPS`
			`=====`

small updates to the docs 2018-07-31 09:38:25 -07:00			`Any internet-facing JupyterHub should use HTTPS to secure its traffic. For`
adding css rule for logo and fixing some ref links 2018-08-11 11:45:36 -07:00			information on how to use HTTPS with your JupyterHub, see :ref:`howto/admin/https`.