From a80f0738bd8f398f1c6bc162819db2c7c56605f4 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 2 Apr 2024 01:16:10 +0100 Subject: [PATCH 1/3] Ensure private home directories --- roles/jupyterhub/templates/jupyterhub_config.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/jupyterhub/templates/jupyterhub_config.py b/roles/jupyterhub/templates/jupyterhub_config.py index 3cf195f8..705530ea 100644 --- a/roles/jupyterhub/templates/jupyterhub_config.py +++ b/roles/jupyterhub/templates/jupyterhub_config.py @@ -170,6 +170,9 @@ class QHubHPCSpawner(QHubHPCSpawnerBase): ln -s /shared "$HOME/share" fi +# Ensure home directory is private +chmod go-rwx $HOME + # ensure ipyparallel configuration profiles cp -r /etc/jupyter/profile_default $HOME/.ipython/ From 4e7a1e6680096468578dc360c12fdbddff034afa Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 2 Apr 2024 01:48:44 +0100 Subject: [PATCH 2/3] Add note about user permissions modification --- roles/jupyterhub/templates/jupyterhub_config.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/jupyterhub/templates/jupyterhub_config.py b/roles/jupyterhub/templates/jupyterhub_config.py index 705530ea..0adb622b 100644 --- a/roles/jupyterhub/templates/jupyterhub_config.py +++ b/roles/jupyterhub/templates/jupyterhub_config.py @@ -170,7 +170,9 @@ class QHubHPCSpawner(QHubHPCSpawnerBase): ln -s /shared "$HOME/share" fi -# Ensure home directory is private +echo "Ensure home directory $HOME is private" +# This will remove read, write, execute permissions from the group and other users. +# It will not change permissions for the user that owns the file. chmod go-rwx $HOME # ensure ipyparallel configuration profiles From 973e868f6feffe69a043862bceafd2651b0f4234 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 2 Apr 2024 02:00:18 +0100 Subject: [PATCH 3/3] add faq for user's private home directory --- docs/faq.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 318b08dc..04e0f247 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -1 +1,24 @@ # Frequently Asked Questions + +Q1: Can a user access another user's home directory in JupyterLab? + +No. Every user's home directory is private to themselves and they cannot access contents +of any other user's home directory. Example below shows the permissions of user directories +in `/home`. + +```bash +$ ls -ltrh /home + +total 36K +drwx------ 9 john-doe example-user 4.0K Apr 1 19:22 john-doe +drwx------ 9 alice-doe example-user 4.0K Apr 1 19:34 alice-doe +``` + +```bash +john-doe@worker-01:~$ pwd +/home/john-doe + +# The user john-doe unable to access contents of user alice-doe's home directory: +john-doer@worker-01:~$ ls /home/alice-doe/ +ls: cannot open directory '/home/alice-doe/': Permission denied +```