I am using github oauth to let user login, and once new user login to jupyterhub, he/she got root path access right in jupyter’s terminal or any other system login way. I run jupyterhub with sudo, but it still not right, spawn user should not have that privileges. And I tried using non-sudo way to run jupyterhub (by following the instructions in this doc : Run JupyterHub without root privileges using sudo — JupyterHub documentation ) but this problem still there. Users can still view the entire system. How to fix this? Thank you!
does it really say ‘root’, when you type whoami in the terminal?
reading access to most of the filesystem is totally normal for the average non-root user.
My main need is to prevent jupyterhub users from reading sensitive information, for example I put in oauth and db’s id and secret in /etc/environment for config as installation doc said. This information is now readable by all new jupyterhub users who should not have been able to see it.
Update:
I use setfacl to restrict all users in hub-user group to read/write/exec this file.This may be a temporary solution, because I’m not sure if I can apply this to more system folders. anyway it solves the problem for now and works fine.
You should run it in a container. I don’t think the localspawner makes sense to work with github oauth.
I’m running hub on a public VM, for the reason that in our country there are a lot of ip restrictions that prevent certain resources from connecting locally.