Prevent users to access files outside their home directory

Hi folks!

I setup JupyterHub on my local machine for some test purposes. Now I was wondering if there is a way to prevent the newly created users jupyter-<name> from accesing files other than their assigned home directory.

In detail, I don’t want them to open a console in jupyterhub and have access to all other directories and system files on my machine.

Since Jupyter generally means arbitrary code execution, whether in a terminal or a notebook, you need to do isolation like this at the process level. Probably the most common way to do it is to run your users in containers, e.g. with DockerSpawner. You can then mount the user’s home directory from the host system into the container, but not the rest of the filesystem. If you already have users on the system you want to use, DockerSpawner’s SystemUserSpawner may get you most of the way there.

You can possibly also do it with a “chroot jail,” but I suspect that would be quite fiddly to get right with a Python environment.

1 Like