From c5eae3386a7fa91d2e7a55cd123473cf30f2eee6 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 1 Jun 2023 23:43:38 +0200 Subject: [PATCH] SystemdSpawner 1: don't prevent admins from sudo / privilege escalation Having upgraded systemdspawner to 1.0.0, its configuration option `disable_user_sudo` now defaults to True. This would be a breaking unwanted change for our jupyterhub admin users who are configured with passwordless sudo. Its unlikeley a breaking change for other users, but could be if they are granted sudo rights without being a jupyterhub admin. But, if they are, then they could grant themself such rights anyhow so its reasonable to assume jupyterhub admins only should have sudo rights in a TLJH installation. --- tljh/user_creating_spawner.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tljh/user_creating_spawner.py b/tljh/user_creating_spawner.py index a08f24c..eda9642 100644 --- a/tljh/user_creating_spawner.py +++ b/tljh/user_creating_spawner.py @@ -26,8 +26,10 @@ class UserCreatingSpawner(SystemdSpawner): user.ensure_user(system_username) user.ensure_user_group(system_username, "jupyterhub-users") if self.user.admin: + self.disable_user_sudo = False user.ensure_user_group(system_username, "jupyterhub-admins") else: + self.disable_user_sudo = True user.remove_user_group(system_username, "jupyterhub-admins") if self.user_groups: for group, users in self.user_groups.items():