zhangyiss/the-littlest-jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/the-littlest-jupyterhub.git synced 2025-12-18 21:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't use sudo for everything

Browse Source 
We are running as root, and will rely on dropping privs via
systemd rather than sudo
This commit is contained in:
yuvipanda
2018-06-27 02:07:49 -07:00
parent cf4bd7e36e
commit e957fc3bf0
3 changed files with 1 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tljh/jupyterhub_config.py
View File

@@ -27,6 +27,5 @@ c.JupyterHub.spawner_class = CustomSpawner
c.ConfigurableHTTPProxy.should_start = False c.ConfigurableHTTPProxy.should_start = False
c.SystemdSpawner.extra_paths = [os.path.join(USER_ENV_PREFIX, 'bin')] c.SystemdSpawner.extra_paths = [os.path.join(USER_ENV_PREFIX, 'bin')]
c.SystemdSpawner.use_sudo = True
configurer.apply_yaml_config('/etc/jupyterhub/jupyterhub.yaml', c) configurer.apply_yaml_config('/etc/jupyterhub/jupyterhub.yaml', c)

9
tljh/systemd.py
View File

@@ -1,11 +1,6 @@
""" """
Wraps systemctl to install, uninstall, start & stop systemd services. Wraps systemctl to install, uninstall, start & stop systemd services.
We use sudo + subprocess calls for everything. This works when we
are running as root & as normal user (with arbitrary sudo privileges).
Arbitrary sudo privileges suck, but are better than running the whole
process as root.
If we use a debian package instead, we can get rid of all this code. If we use a debian package instead, we can get rid of all this code.
""" """
import subprocess import subprocess
@@ -19,7 +14,6 @@ def reload_daemon():
Makes systemd discover new units. Makes systemd discover new units.
""" """
subprocess.run([ subprocess.run([
'sudo',
'systemctl', 'systemctl',
'daemon-reload' 'daemon-reload'
], check=True) ], check=True)
@@ -30,7 +24,6 @@ def install_unit(name, unit, path='/etc/systemd/system'):
Install unit wih given name Install unit wih given name
""" """
subprocess.run([ subprocess.run([
'sudo',
'tee', 'tee',
os.path.join(path, name) os.path.join(path, name)
], input=unit.encode('utf-8'), check=True) ], input=unit.encode('utf-8'), check=True)
@@ -41,7 +34,6 @@ def uninstall_unit(name, path='/etc/systemd/system'):
Uninstall unit with given name Uninstall unit with given name
""" """
subprocess.run([ subprocess.run([
'sudo',
'rm', 'rm',
os.path.join(path, name) os.path.join(path, name)
], check=True) ], check=True)
@@ -52,7 +44,6 @@ def start_service(name):
Start service with given name. Start service with given name.
""" """
subprocess.run([ subprocess.run([
'sudo',
'systemctl', 'systemctl',
'start', 'start',
name name

8
tljh/user.py
View File

@@ -1,7 +1,7 @@
""" """
User management for tljh. User management for tljh.
Supports user creation, deletion & sudo Supports minimal user & group management
""" """
import pwd import pwd
import grp import grp
@@ -22,7 +22,6 @@ def ensure_user(username):
pass pass
subprocess.check_call([ subprocess.check_call([
'sudo',
'adduser', 'adduser',
'--disabled-password', '--disabled-password',
'--force-badname', '--force-badname',
@@ -42,7 +41,6 @@ def remove_user(username):
return return
subprocess.check_call([ subprocess.check_call([
'sudo',
'deluser', 'deluser',
'--quiet', '--quiet',
username username
@@ -61,7 +59,6 @@ def ensure_group(groupname):
pass pass
subprocess.check_call([ subprocess.check_call([
'sudo',
'addgroup', 'addgroup',
'--quiet', '--quiet',
groupname groupname
@@ -79,7 +76,6 @@ def remove_group(groupname):
return return
subprocess.check_call([ subprocess.check_call([
'sudo',
'delgroup', 'delgroup',
'--quiet', '--quiet',
groupname groupname
@@ -97,7 +93,6 @@ def ensure_user_group(username, groupname):
return return
subprocess.check_call([ subprocess.check_call([
'sudo',
'usermod', 'usermod',
'--append', '--append',
'--groups', '--groups',
@@ -115,7 +110,6 @@ def remove_user_group(username, groupname):
return return
subprocess.check_call([ subprocess.check_call([
'sudo',
'deluser', 'deluser',
'--quiet', '--quiet',
username, username,