Disabling terminal access?

2,209 views
Skip to first unread message

Sandbo Chang

unread,
Feb 9, 2016, 6:05:29 PM2/9/16
to Project Jupyter
I just realized that by connecting to a Jupyter Notebook session, I can open a terminal and have root access immediately.

This is kind of unsafe, may I know if there is a way either
1. Disable root access on that terminal? (Maybe I started the Jupyter Notebook server as service with root privilege)
2. Remove the terminal function completely?

It would be of great help, as I intended to share the notebook to my group mates which can get things messed up if someone compromised it.
Thank you in advance.

Background:
Fedora Workstation 23
Jupyter Notebook server with Python 3.4, access from browser

Thomas Kluyver

unread,
Feb 9, 2016, 6:09:42 PM2/9/16
to Project Jupyter
If you uninstall a package called 'terminado', terminals will disappear. BUT anything you can do from the terminal, you can do from a notebook anyway, so don't rely on this as any kind of security measure.

I wouldn't recommend running the notebook server as root unless it's safely locked inside a container where it can't do any real damage.

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/253765bd-0d52-4475-a4d5-376697d5fe22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sandbo Chang

unread,
Feb 9, 2016, 6:18:23 PM2/9/16
to Project Jupyter
Hello again,

Thanks for the answer, I didn't know how much can be done using just the notebook, that seems a big loophole I have created.
I actually want to run the notebook servers as a standard user, 
now it's having root access I guess I did something wrong.

The way I did it:
I generated the config file, and modify only to change port, and add SSL encryption to the connection, plus giving it the path of work directory.
Then I copy the config file to a dir I made inside, say /etc/jupyter/user.
Finally I created a .service file in /etc/systemd/system, called it jupyternotebook.service and enabled it.
Would there be something I can do to give it only user access, but running it as a service?

But it seems now to be more of a Linux trick I have to look up.

Matthias Bussonnier

unread,
Feb 9, 2016, 6:53:07 PM2/9/16
to jup...@googlegroups.com
Hey,

if you want to run notebook for multiple users, I would suggest
looking at https://github.com/jupyter/jupyterhub

It is made to spawn servers on user behalf (the documentation will
explain how).
plus it will provide a login page with authentication that can be
hooked into more or less any user management system.

--
M
> https://groups.google.com/d/msgid/jupyter/2b26e93f-ed41-43bd-8164-75d150c6eba0%40googlegroups.com.

Sandbo Chang

unread,
Feb 9, 2016, 7:12:52 PM2/9/16
to Project Jupyter
Thanks for letting me know, that looks a very neat project.
I should be trying that some time later.

At the moment, I just dedicated another Jupyter notebook server using a different port, and giving it a different workplace.
The workaround of my issue in this post was actually pretty simple:
I can start a service not as root but a standard user. The only thing being I intended to have the workplace in a Dropbox shared folder on a RAID 1 drive,
that turns out I have to blind mount that particular subdir to another location for non-root Jupyter server to access it.

Thomas Kluyver

unread,
Feb 10, 2016, 5:53:02 AM2/10/16
to Project Jupyter
On 9 February 2016 at 23:18, Sandbo Chang <sandb...@gmail.com> wrote:
Finally I created a .service file in /etc/systemd/system, called it jupyternotebook.service and enabled it.
Would there be something I can do to give it only user access, but running it as a service?

There's some information here on using systemd to manage user services - that sounds like what you want:
https://wiki.archlinux.org/index.php/Systemd/User

Thomas

Sandbo Chang

unread,
Feb 10, 2016, 1:11:14 PM2/10/16
to Project Jupyter
Thanks a lot for the idea,
it's actually very simple:

simply added an entry in the .service file "User=<intended user>", attaching my script for reference in the future:
You can create a <file name>.service in the path /etc/systemd/system, at least for Fedora 23

[Unit]                                                                                                                
Description=<a description you give>                                                                                            
Wants=network-online.target                                                                                          
After=network-online.target                                                                                          
                                                                                                                     
[Service]                                                                                                            
User=<intended user>                                                                                                          
TimeoutStartSec=10                                                                                                    
ExecStart=/usr/bin/jupyter notebook --config=<path to your jupyter notebook config file>                      
                                                                                                                     
[Install]                                                                                                            
WantedBy=multi-user.target    
Reply all
Reply to author
Forward
0 new messages