docs/topic/security.md

# Security Considerations

The Littlest JupyterHub is in beta state & should not be used in security
critical situations. We will try to keep things as secure as possible, but
sometimes trade security for massive gains in convenience. This page contains
information about the security model of The Littlest JupyterHub.

## System user accounts

Each JupyterHub user gets their own Unix user account created when they
first start their server. This protects users from each other, gives them a
home directory at a well known location, and allows sharing based on file system
permissions.

1. The unix user account created for a JupyterHub user named `<username>` is
   `jupyter-<username>`. This prefix helps prevent clashes with users that
   already exist - otherwise a user named `root` can trivially gain full root
   access to your server. If the username (including the `jupyter-` prefix)
   is longer than 26 characters, it is truncated at 26 characters & a 5 charcter
   hash is appeneded to it. This keeps usernames under the linux username limit
   of 32 characters while also reducing chances of collision.
2. A home directory is created for the user under `/home/jupyter-<username>`.
3. The default permission of the home directory is change with `o-rwx` (remove
   non-group members the ability to read, write or list files and folders in the
   Home directory).
4. No password is set for this unix system user by default. The password used
   to log in to JupyterHub (if using an authenticator that requires a password)
   is not related to the unix user's password in any form.
5. All users created by The Littlest JupyterHub are added to the user group
   `jupyterhub-users`.

## `sudo` access for admins

JupyterHub admin users are added to the user group `jupyterhub-admins`,
which is granted complete root access to the whole server with the `sudo`
command on the terminal. No password required.

This is a **lot** of power, and they can do pretty much anything they want to
the server - look at other people's work, modify it, break the server in cool &
funky ways, etc. This also means **if an admin's credentials are compromised
(easy to guess password, password re-use, etc) the entire JupyterHub is compromised.**

## Off-boarding users securely

When you delete users from the JupyterHub admin console, their unix user accounts
are **not** removed. This means they might continue to have access to the server
even after you remove them from JupyterHub. Admins should manually remove the user
from the server & archive their home directories as needed. For example, the
following command deletes the unix user associated with the JupyterHub user `yuvipanda`.

```bash
sudo userdel jupyter-yuvipanda
```

If the user removed from the server is an admin, extra care must be taken
since they could have modified the system earlier to continue giving them
access.

## Per-user `/tmp`

`/tmp` is shared by all users in most computing systems, and this has been
a consistent source of security issues. The Littlest JupyterHub gives each
user their own ephemeral `/tmp` using the [PrivateTmp](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp)
feature of systemd.

## HTTPS

Any internet-facing JupyterHub should use HTTPS to secure its traffic. For
information on how to use HTTPS with your JupyterHub, see [](/howto/admin/https).
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`# Security Considerations`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
Replace pre-alpha by beta state in documentation According to 3af53522, TLJH is in beta state by now. This commit replaces the other occurrences in the documentation to make it consistent. Also syncs other paragraphs from index.rst to README.rst, see 5374f5ea. 2019-06-24 10:04:53 +02:00			`The Littlest JupyterHub is in beta state & should not be used in security`
			`critical situations. We will try to keep things as secure as possible, but`
			`sometimes trade security for massive gains in convenience. This page contains`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`information about the security model of The Littlest JupyterHub.`

adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`## System user accounts`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
small updates to the docs 2018-07-31 09:38:25 -07:00			`Each JupyterHub user gets their own Unix user account created when they`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`first start their server. This protects users from each other, gives them a`
			`home directory at a well known location, and allows sharing based on file system`
			`permissions.`

adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			1. The unix user account created for a JupyterHub user named `<username>` is
			`jupyter-<username>`. This prefix helps prevent clashes with users that
			already exist - otherwise a user named `root` can trivially gain full root
			access to your server. If the username (including the `jupyter-` prefix)
Add docs explaining truncation of username 2018-09-12 16:48:55 -07:00			`is longer than 26 characters, it is truncated at 26 characters & a 5 charcter`
			`hash is appeneded to it. This keeps usernames under the linux username limit`
			`of 32 characters while also reducing chances of collision.`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			2. A home directory is created for the user under `/home/jupyter-<username>`.
			3. The default permission of the home directory is change with `o-rwx` (remove
Don't create home publicly readable World-Readable seem to be a surprising default for many people, especially in teaching context. Switch to a more reasonable rwxr-x--- We have to issue a chmod, as changing at creation time would require changin /etc/adduser.conf DIR_MODE=0760 (or whatever), but that seem unwise. We do not set the exact permission in case the DIR_MODE is more restrictive. Closing #158 2018-08-29 11:04:07 -07:00			`non-group members the ability to read, write or list files and folders in the`
			`Home directory).`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`4. No password is set for this unix system user by default. The password used`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`to log in to JupyterHub (if using an authenticator that requires a password)`
			`is not related to the unix user's password in any form.`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`5. All users created by The Littlest JupyterHub are added to the user group`
			`jupyterhub-users`.
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			## `sudo` access for admins
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			JupyterHub admin users are added to the user group `jupyterhub-admins`,
			which is granted complete root access to the whole server with the `sudo`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`command on the terminal. No password required.`

			`This is a lot of power, and they can do pretty much anything they want to`
			`the server - look at other people's work, modify it, break the server in cool &`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`funky ways, etc. This also means **if an admin's credentials are compromised`
Remove extra space after opening paren 2018-09-11 12:08:31 -07:00			`(easy to guess password, password re-use, etc) the entire JupyterHub is compromised.**`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`## Off-boarding users securely`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
			`When you delete users from the JupyterHub admin console, their unix user accounts`
			`are not removed. This means they might continue to have access to the server`
			`even after you remove them from JupyterHub. Admins should manually remove the user`
small updates to the docs 2018-07-31 09:38:25 -07:00			`from the server & archive their home directories as needed. For example, the`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			following command deletes the unix user associated with the JupyterHub user `yuvipanda`.
Catching up with breakage 2018-08-11 08:25:21 +02:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			```bash
			`sudo userdel jupyter-yuvipanda`
			```
small updates to the docs 2018-07-31 09:38:25 -07:00
Clarify command for deleting unix system users 2018-08-02 12:03:18 -07:00			`If the user removed from the server is an admin, extra care must be taken`
			`since they could have modified the system earlier to continue giving them`
			`access.`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			## Per-user `/tmp`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`/tmp` is shared by all users in most computing systems, and this has been
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`a consistent source of security issues. The Littlest JupyterHub gives each`
adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			user their own ephemeral `/tmp` using the [PrivateTmp](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp)
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00			`feature of systemd.`

adopt myst run rst2myst, with minimal manual formatting fixes 2023-03-27 09:31:02 +02:00			`## HTTPS`
Add security topic guide Fixes #13 2018-07-12 14:15:01 -07:00
small updates to the docs 2018-07-31 09:38:25 -07:00			`Any internet-facing JupyterHub should use HTTPS to secure its traffic. For`
fix absolute refs myst seems to create different refs than sphinx 2023-03-27 09:56:46 +02:00			`information on how to use HTTPS with your JupyterHub, see [](/howto/admin/https).`