Limit user access to host system

Hello! I have set up JupyterHub with the littlest JupyterHub (tljh). It is running on premise and on a university network over HTTPS. As a normal user, I can spawn a terminal, and I can navigate through the server, so potentially, I could look at server settings, and maybe manage to break stuff, which is undesired from the admin perspective.

I would like to limit the privileges of the users so they’re basically locked within their home directory, having one shared directory at most. I haven’t been able to find online how to achieve this, so I had two questions:

  1. Is it possible to “lock” jupyter-users to their home directories and a specific shared folder without impairing the usability of jupyter notebooks?
  2. Should this be a concern? Since the jupyter-users’ privileges are already kind of limited.


TLJH relies heavily on the underlying POSIX model, and some linux-specific mechanisms e.g. cgroups, systemd. The sweet spot is for enabling users that would already have SSH access (even if they wouldn’t know how to use it) to read all public (e.g. chmod 777) content in their web browser. Once out of that lane, a more involved deployment using non-home-rolled defense-in-depth layers (e.g. VMs, containers, etc.) might be required.

tljh uses systemd to run users, and you can use systemd unit configuration to limit filesystem access, as described here.

You can use SystemdSpawner.unit_extra_properties to set any additional isolation you want to use that aren’t expised directly on SystemdSpawner. Alternately, you could switch to a more isolated spawner, like DockerSpawner.