Merge pull request #156 from nebari-dev/private-home

Make user's home directories private
nebari-dev · Apr 2, 2024 · 5f39db4 · 5f39db4
2 parents 60a99dc + 973e868
commit 5f39db4
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/docs/faq.md b/docs/faq.md
@@ -1 +1,24 @@
 # Frequently Asked Questions
+
+Q1: Can a user access another user's home directory in JupyterLab?
+
+No. Every user's home directory is private to themselves and they cannot access contents
+of any other user's home directory. Example below shows the permissions of user directories
+in `/home`.
+
+```bash
+$ ls -ltrh /home
+
+total 36K
+drwx------  9 john-doe       example-user 4.0K Apr  1 19:22 john-doe
+drwx------  9 alice-doe      example-user 4.0K Apr  1 19:34 alice-doe
+```
+
+```bash
+john-doe@worker-01:~$ pwd
+/home/john-doe
+
+# The user john-doe unable to access contents of user alice-doe's home directory:
+john-doer@worker-01:~$ ls /home/alice-doe/
+ls: cannot open directory '/home/alice-doe/': Permission denied
+```
diff --git a/roles/jupyterhub/templates/jupyterhub_config.py b/roles/jupyterhub/templates/jupyterhub_config.py
@@ -170,6 +170,11 @@ class QHubHPCSpawner(QHubHPCSpawnerBase):
   ln -s /shared "$HOME/share"
 fi
 
+echo "Ensure home directory $HOME is private"
+# This will remove read, write, execute permissions from the group and other users.
+# It will not change permissions for the user that owns the file.
+chmod go-rwx $HOME
+
 # ensure ipyparallel configuration profiles
 cp -r /etc/jupyter/profile_default $HOME/.ipython/