Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run jupyterhub-ssh & sftp as least privileged processes #16

Open
yuvipanda opened this issue Oct 27, 2020 · 1 comment
Open

Run jupyterhub-ssh & sftp as least privileged processes #16

yuvipanda opened this issue Oct 27, 2020 · 1 comment

Comments

@yuvipanda
Copy link
Owner

jupyterhub-ssh should run as an unprivileged process, with the
container quite locked down in the helm configuration.

jupyterhub-sftp requires CAP_SYSADMIN and root, so we can
bind mount user home directories & sshd can chroot into them.
However, we should drop all other permissions there.
yuvipanda added a commit that referenced this issue Oct 27, 2020
@yuvipanda
Run jupyterhub-ssh as non-root
089a85f 
Ref #16
yuvipanda added a commit that referenced this issue Oct 27, 2020
@yuvipanda
Run jupyterhub-sftp on port 2222
c1e03ed 
sshd still needs to run as root, but hey we can drop
as many things as we can!

Ref #16
@yuvipanda yuvipanda mentioned this issue Oct 27, 2020
Closed
@yuvipanda
Copy link
Owner Author

So I played around with this, and dropped privs for the ssh process. However, jupyterhub-sftp still needs to run privileged, since it bind mounts and sshd chroots. CAP_SYS_ADMIN wasn't enough for the bind-mounting, although it was for chrooting....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yuvipanda