Set /home/jovyan as read only for jovyan user

Hey

I am running jupyter lab using Docker (image from GitHub - jupyter/docker-stacks: Ready-to-run Docker images containing Jupyter applications) on an EC2 machine on AWS
I have a few directories (under /home/jovyan) mounted from the host machine to the container (using the -v tag) and some of them are read only (using the :ro tag), and some are read-write
I want to be able to set the root directory (this is /home/jovyan) to be read only for the jovyan user, while some of the folders under it are not

I tried running the docker with the --read-only flag but then the container doesn’t have enough permissions to start the jupyterlab server

Is there a way to configure this?

Thanks in advance

Most POSIX systems won’t function very well if the user can’t write to their own home directory. Jupyter, for example, needs ~/.local/share/jupyter/runtime in order to create its registry of kernel sessions. What is driving your requirement? At some point, remote-code-execution-as-a-service cannot be an entirely-controlled experience.

1 Like

Yes so I wasn’t specific enough (edited the question), I want to know if there is a way to set the root directory as read-only - only for the user that is working on the notebook - jovyan.
The reason for this is the architecture of our system, so when a user is working I want him to save all his work in a subfolder (that is mounted to the host machine and is not read only) and not be able to save files in the root /home/jovyan directory

Is it really important that they not be able to, or is it meant as a reminder to use the mounted directory instead?

What about making your intended directory the root directory of the server (jupyter lab /path/to/mounted/dir? Then the root of JupyterLab, etc. will be the mounted directory and JupyterLab won’t be able to create files outside that directory. That would make it unlikely for folks to accidentally create files in the home directory. They’ll still be able to, permission-wise, but not with normal use of JupyterLab.

1 Like

Because of the architecture of our system, files under /home/jovyan will not be saved, so it is important that the users will not be able to create and save files there

We have multiple subdirectories under /home/jovyan so I cannot set one of them to the root of the server :frowning:

Also in any case, even if the directory changes I want to also back this up permission wise - so that even if a user mistakenly tries to save a file, he won’t be able to

This doesn’t follow, unless there’s something I’m missing. Creating files that will not be persisted is only a problem if they were meant to be persisted. So it’s more a matter of expectations than strict requirements, unless you have some audit requirements that all files that are created are always persisted. It is common practice with Jupyterhub, for instance, to not persist $HOME, but persist $HOME/work.

Yes, so because the system does not allow saving files under HOME, but allows saving files under HOME/work

So I do not want to have the users create files under HOME, and then they don’t understand why the files are not there the next time they open the notebook

So I want to set in the notebook, that the user will get a popup with an error when they try to save a file under HOME (not only in the host machine)

If you set the notebook root directory to $HOME/work they won’t be able to create files in $HOME or anywhere outside $HOME/work via any Jupyter API without extra effort. They won’t get a pop-up because they can’t even try to create files in $HOME if you do that. Only other mechanisms, e.g. via the terminal or within notebook code.

If you have mulitple mounts, I would recommend:

  • set the notebook directory to $HOME/work (or some other sub-directory of $HOME)
  • make $HOME/work read-only in your image with chmod a-w $HOME/work
  • place the various mounts as subdirectories of that directory

This way, you’ll have:

  • multiple writable mounts available
  • a top-level directory that users can’t write to, to avoid files failing to be persisted
  • no way for users to write to $HOME via Jupyter UI
  • no problems with $HOME permissions

If you still want to, you can chmod -w $HOME to make only the top-level $HOME directory read-only in your image. I would expect errors to result, though, and would not recommend doing this.

2 Likes