diff --git a/base-notebook/Dockerfile b/base-notebook/Dockerfile index f7280ba0..aa205cc6 100644 --- a/base-notebook/Dockerfile +++ b/base-notebook/Dockerfile @@ -35,6 +35,7 @@ ENV CONDA_DIR=/opt/conda \ NB_USER=$NB_USER \ NB_UID=$NB_UID \ NB_GID=$NB_GID \ + NB_UMASK=0022 \ LC_ALL=en_US.UTF-8 \ LANG=en_US.UTF-8 \ LANGUAGE=en_US.UTF-8 diff --git a/base-notebook/jupyter_notebook_config.py b/base-notebook/jupyter_notebook_config.py index 7bd21bb2..0fad3a29 100644 --- a/base-notebook/jupyter_notebook_config.py +++ b/base-notebook/jupyter_notebook_config.py @@ -37,3 +37,6 @@ if 'GEN_CERT' in os.environ: # Restrict access to the file os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR) c.NotebookApp.certfile = pem_file + +# Change default umask if set using flag +os.umask(int(os.environ['NB_UMASK'], 8)) \ No newline at end of file diff --git a/docs/using/common.md b/docs/using/common.md index ab44315d..77cc96e3 100644 --- a/docs/using/common.md +++ b/docs/using/common.md @@ -27,6 +27,7 @@ the notebook server. You do so by passing arguments to the `docker run` command. * `-e NB_UID=1000` - Instructs the startup script to switch the numeric user ID of `$NB_USER` to the given value. This feature is useful when mounting host volumes with specific owner permissions. For this option to take effect, you must run the container with `--user root`. (The startup script will `su $NB_USER` after adjusting the user ID.) You might consider using modern Docker options `--user` and `--group-add` instead. See the last bullet below for details. * `-e NB_GID=100` - Instructs the startup script to change the primary group of`$NB_USER` to `$NB_GID` (the new group is added with a name of `$NB_GROUP` if it is defined, otherwise the group is named `$NB_USER`). This feature is useful when mounting host volumes with specific group permissions. For this option to take effect, you must run the container with `--user root`. (The startup script will `su $NB_USER` after adjusting the group ID.) You might consider using modern Docker options `--user` and `--group-add` instead. See the last bullet below for details. The user is added to supplemental group `users` (gid 100) in order to allow write access to the home directory and `/opt/conda`. If you override the user/group logic, ensure the user stays in group `users` if you want them to be able to modify files in the image. * `-e NB_GROUP=` - The name used for `$NB_GID`, which defaults to `$NB_USER`. This is only used if `$NB_GID` is specified and completely optional: there is only cosmetic effect. +* `-e NB_UMASK=` - Configures Jupyter to use a different umask value from default, i.e. `022`. For example, if setting umask to `002`, new files will be readable and writable by group members instead of just writable by the owner. Wikipedia has a good article about [umask](https://en.wikipedia.org/wiki/Umask). Feel free to read it in order to choose the value that better fits your needs. Default value should fit most situations. * `-e CHOWN_HOME=yes` - Instructs the startup script to change the `$NB_USER` home directory owner and group to the current value of `$NB_UID` and `$NB_GID`. This change will take effect even if the user home directory is mounted from the host using `-v` as described below. The change is **not** applied recursively by default. You can change modify the `chown` behavior by setting `CHOWN_HOME_OPTS` (e.g., `-e CHOWN_HOME_OPTS='-R'`). * `-e CHOWN_EXTRA=",` - Instructs the startup script to change the owner and group of each comma-separated container directory to the current value of `$NB_UID` and `$NB_GID`. The change is **not** applied recursively by default. You can change modify the `chown` behavior by setting `CHOWN_EXTRA_OPTS` (e.g., `-e CHOWN_EXTRA_OPTS='-R'`). * `-e GRANT_SUDO=yes` - Instructs the startup script to grant the `NB_USER` user passwordless `sudo` capability. You do **not** need this option to allow the user to `conda` or `pip` install additional packages. This option is useful, however, when you wish to give `$NB_USER` the ability to install OS packages with `apt` or modify other root-owned files in the container. For this option to take effect, you must run the container with `--user root`. (The `start-notebook.sh` script will `su $NB_USER` after adding `$NB_USER` to sudoers.) **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**