zhangyiss/the-littlest-jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/the-littlest-jupyterhub.git synced 2025-12-18 21:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #169 from Carreau/no-everyone-read

Browse Source 
Don't create home publicly readable
This commit is contained in:
Min RK
2018-09-03 14:51:05 +02:00
committed by GitHub
parent 8c82371416 5bbba2bd7c
commit d0b1e5c4c0
3 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/topic/security.rst
View File

@@ -22,6 +22,10 @@ permissions.
#. A home directory is created for the user under ``/home/jupyter-<username>``. #. A home directory is created for the user under ``/home/jupyter-<username>``.
#. The default permission of the home directory is change with ``o-rwx`` (remove
non-group members the ability to read, write or list files and folders in the
Home directory).
#. No password is set for this unix system user by default. The password used #. No password is set for this unix system user by default. The password used
to log in to JupyterHub (if using an authenticator that requires a password) to log in to JupyterHub (if using an authenticator that requires a password)
is not related to the unix user's password in any form. is not related to the unix user's password in any form.

13
tests/test_user.py
View File

@@ -3,6 +3,8 @@ Test wrappers in tljw.user module
""" """
from tljh import user from tljh import user
import os import os
import os.path
import stat
import uuid import uuid
import pwd import pwd
import grp import grp
@@ -23,9 +25,16 @@ def test_ensure_user():
# Create user! # Create user!
user.ensure_user(username) user.ensure_user(username)
# This raises exception if user doesn't exist # This raises exception if user doesn't exist
ent = pwd.getpwnam(username) entry = pwd.getpwnam(username)
# Home directory must also exist # Home directory must also exist
assert os.path.exists(ent.pw_dir) home_dir = entry.pw_dir
assert os.path.exists(home_dir)
# Ensure not word readable/writable especially in teaching context
homedir_stats = os.stat(home_dir).st_mode
assert not (homedir_stats & stat.S_IROTH), "Everyone should not be able to read users home directory"
assert not (homedir_stats & stat.S_IWOTH), "Everyone should not be able to write users home directory"
assert not (homedir_stats & stat.S_IXOTH), "Everyone should not be able to list what is in users home directory"
# Run ensure_user again, should be a noop # Run ensure_user again, should be a noop
user.ensure_user(username) user.ensure_user(username)
# User still exists, after our second ensure_user call # User still exists, after our second ensure_user call

7
tljh/user.py
View File

@@ -6,6 +6,7 @@ Supports minimal user & group management
import pwd import pwd
import grp import grp
import subprocess import subprocess
from os.path import expanduser
def ensure_user(username): def ensure_user(username):
@@ -27,6 +28,12 @@ def ensure_user(username):
username username
]) ])
subprocess.check_call([
'chmod',
'o-rwx',
expanduser('~{username}'.format(username=username))
])
def remove_user(username): def remove_user(username):
""" """