From a373b2108cd78a10eab116cbd4b099098a7e9fe6 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 1 Jun 2023 23:35:50 +0200 Subject: [PATCH 1/2] Update systemdspawner from v0.17 to v1.0.1+ --- tljh/requirements-hub-env.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tljh/requirements-hub-env.txt b/tljh/requirements-hub-env.txt index 81d694a..9b6fada 100644 --- a/tljh/requirements-hub-env.txt +++ b/tljh/requirements-hub-env.txt @@ -8,8 +8,8 @@ # If a dependency is bumped to a new major version, we should make a major # version release of tljh. # -jupyterhub>=4.0.0,<5 -jupyterhub-systemdspawner>=0.17.0,<1 +jupyterhub>=4.0.1,<5 +jupyterhub-systemdspawner>=1.0.1,<2 jupyterhub-firstuseauthenticator>=1.0.0,<2 jupyterhub-nativeauthenticator>=1.2.0,<2 jupyterhub-ldapauthenticator>=1.3.2,<2 From c5eae3386a7fa91d2e7a55cd123473cf30f2eee6 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 1 Jun 2023 23:43:38 +0200 Subject: [PATCH 2/2] SystemdSpawner 1: don't prevent admins from sudo / privilege escalation Having upgraded systemdspawner to 1.0.0, its configuration option `disable_user_sudo` now defaults to True. This would be a breaking unwanted change for our jupyterhub admin users who are configured with passwordless sudo. Its unlikeley a breaking change for other users, but could be if they are granted sudo rights without being a jupyterhub admin. But, if they are, then they could grant themself such rights anyhow so its reasonable to assume jupyterhub admins only should have sudo rights in a TLJH installation. --- tljh/user_creating_spawner.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tljh/user_creating_spawner.py b/tljh/user_creating_spawner.py index a08f24c..eda9642 100644 --- a/tljh/user_creating_spawner.py +++ b/tljh/user_creating_spawner.py @@ -26,8 +26,10 @@ class UserCreatingSpawner(SystemdSpawner): user.ensure_user(system_username) user.ensure_user_group(system_username, "jupyterhub-users") if self.user.admin: + self.disable_user_sudo = False user.ensure_user_group(system_username, "jupyterhub-admins") else: + self.disable_user_sudo = True user.remove_user_group(system_username, "jupyterhub-admins") if self.user_groups: for group, users in self.user_groups.items():