JupHub: User created files don't respect shared folder permissions

TL;DR: Users should be able to create new files in Shared folders, but file permission must be matched to Shared folder. By default the file is created under the spawned user, resulting in other people not able to access these shared files.

Setup: Multiple-user access on a company server

  • OS: Ubuntu 18.04.2 LTS
  • Jupyter conda installation (conda install -c conda-forge jupyterhub)
  • jupyter_client 5.2.4 py37_0
  • jupyter_core 4.4.0 py37_0
  • jupyterhub 1.0.0 py37_0 conda-forge
  • jupyterlab 1.1.4 pyhf63ae98_0
  • jupyterlab_server 1.0.6 py_0

All of JupyterHub’s setup has been done with a system user called “miniconda” and everyone who can access the notebooks are part of the group “miniconda”.
Since security is important, this “miniconda” user does not have sudo powers.

sudospawner is used by “miniconda” to start-up JupyterLab instances for other Ubuntu users. “miniconda” is added to group “shadow” for non-root PAM authentication.

To share certain notebooks, every “miniconda” group user has a folder ~/jupyterhub/code_share, which is symlinked to /etc/jupyterhub/code_share (sudo ln -s /etc/jupyterhub/code_share jupyterhub/code_share).

All works fine, but when a user clicks the ‘+’ button and creates a new file in the code_share folder, this file should have permissions set as miniconda:miniconda, but currently it is created with user:user.
I want at least the group to be automatically set to “miniconda”, but preferably both. Also with permission for read/write for both user and group. How do I do this?

If you want to inherit permissions and ownerships, a combination of these might help:

  1. setgid directories: If the setgid bit is set on a directories (chmod g+s some/directory), then newly created files and directories inherit the group ownership (and directories also inherit the setgid bit). So newly-created files and directories will belong to the miniconda group.
  2. ACLs: You can set default ACLs on a directory tree to set the default permissions for newly created files and folders. Then set the default permissions to allow write access to group (or to the group miniconda specifically). (See, e.g., this post on Unix & Linux SE.)

Just ACLs might be enough, if the actual group ownership isn’t important.

1 Like

Thank you @muru , this seemed indeed to be the issue. Setting setgid solved it :slight_smile:

How do you create the groups and set permissions for them? I am trying to achieve the same with oAuthenticator. Should I use docker to create a shared volume with perms?