From 7d73d5774ee5b7aae5917b7d11a366238a24dc49 Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Wed, 19 Oct 2022 12:37:13 +0100 Subject: [PATCH 1/4] update websecurity.md - fix typos/edit text - add important links --- docs/source/reference/websecurity.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/source/reference/websecurity.md b/docs/source/reference/websecurity.md index 8473c3e9..b5ab2680 100644 --- a/docs/source/reference/websecurity.md +++ b/docs/source/reference/websecurity.md @@ -16,9 +16,9 @@ JupyterHub is designed to be a _simple multi-user server for modestly sized groups_ of **semi-trusted** users. While the design reflects serving semi-trusted users, JupyterHub is not necessarily unsuitable for serving **untrusted** users. -Using JupyterHub with **untrusted** users does mean more work by the +Using JupyterHub with **untrusted** users does mean more work for the administrator. Much care is required to secure a Hub, with extra caution on -protecting users from each other as the Hub is serving untrusted users. +protecting users from each other, since the Hub serves untrusted users. One aspect of JupyterHub's _design simplicity_ for **semi-trusted** users is that the Hub and single-user servers are placed in a _single domain_, behind a @@ -47,7 +47,7 @@ ensure that: - If the `PATH` is used to resolve the single-user executable (instead of using an absolute path), a user **may not** create new files in any `PATH` directory that precedes the directory containing `jupyterhub-singleuser`. - - A user may not modify environment variables (e.g. PATH, PYTHONPATH) for + - A user may not modify environment variables (e.g. `PATH`, `PYTHONPATH`) for their single-user server. - A user **may not** modify the configuration of the notebook server (the `~/.jupyter` or `JUPYTER_CONFIG_DIR` directory). @@ -58,7 +58,7 @@ If any additional services are run on the same domain as the Hub, the services ## Mitigate security issues -Several approaches to mitigating these issues with configuration +The several approaches to mitigating security issues with configuration options provided by JupyterHub include: ### Enable subdomains @@ -76,10 +76,10 @@ resolves the cross-site issues. ### Disable user config -If subdomains are not available or not desirable, JupyterHub provides a +If subdomains are unavailable or undesirable, JupyterHub provides a configuration option `Spawner.disable_user_config`, which can be set to prevent the user-owned configuration files from being loaded. After implementing this -option, PATHs and package installation and PATHs are the other things that the +option, `PATH`s and package installation are the other things that the admin must enforce. ### Prevent spawners from evaluating shell configuration files @@ -119,14 +119,12 @@ extend to securing the `tcp` sockets as well. ## Security audits We recommend that you do periodic reviews of your deployment's security. It's -good practice to keep JupyterHub, configurable-http-proxy, and nodejs -versions up to date. +good practice to keep [JupyterHub](https://readthedocs.org/projects/jupyterhub/), [configurable-http-proxy](https://github.com/jupyterhub/configurable-http-proxy), and [nodejs +versions](https://github.com/nodejs/Release) up to date. A handy website for testing your deployment is [Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html). -[configurable-http-proxy]: https://github.com/jupyterhub/configurable-http-proxy - ## Vulnerability reporting If you believe you’ve found a security vulnerability in JupyterHub, or any From ecf486d678d15b0a0968a81fa58406a674a522b7 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 11:59:09 +0000 Subject: [PATCH 2/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/reference/websecurity.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/source/reference/websecurity.md b/docs/source/reference/websecurity.md index 6cdf67d9..2e77f176 100644 --- a/docs/source/reference/websecurity.md +++ b/docs/source/reference/websecurity.md @@ -126,7 +126,8 @@ versions](https://github.com/nodejs/Release) up to date. We recommend that you do periodic reviews of your deployment's security. It is good practice to keep JupyterHub, configurable-http-proxy, and nodejs versions up to date. ->>>>>>> main + +> > > > > > > main A handy website for testing your deployment is [Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html). From 281658ccce2935c1b070232c5b8c511946fb315a Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Thu, 20 Oct 2022 07:48:52 +0100 Subject: [PATCH 3/4] update websecurity.md Delete erroneous text from merge conflict --- docs/source/reference/websecurity.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/source/reference/websecurity.md b/docs/source/reference/websecurity.md index 2e77f176..4b82c8d2 100644 --- a/docs/source/reference/websecurity.md +++ b/docs/source/reference/websecurity.md @@ -118,16 +118,9 @@ extend to securing the `tcp` sockets as well. ## Security audits -<<<<<<< HEAD We recommend that you do periodic reviews of your deployment's security. It's good practice to keep [JupyterHub](https://readthedocs.org/projects/jupyterhub/), [configurable-http-proxy](https://github.com/jupyterhub/configurable-http-proxy), and [nodejs versions](https://github.com/nodejs/Release) up to date. -======= -We recommend that you do periodic reviews of your deployment's security. It is -good practice to keep JupyterHub, configurable-http-proxy, and nodejs -versions up to date. - -> > > > > > > main A handy website for testing your deployment is [Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html). From 145ccfbd4f4820dfa3d94ae36bbe29466d63f60f Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Thu, 20 Oct 2022 10:36:59 +0100 Subject: [PATCH 4/4] update websecurity.md --- docs/source/reference/websecurity.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/source/reference/websecurity.md b/docs/source/reference/websecurity.md index 4b82c8d2..67d9e8f2 100644 --- a/docs/source/reference/websecurity.md +++ b/docs/source/reference/websecurity.md @@ -119,12 +119,14 @@ extend to securing the `tcp` sockets as well. ## Security audits We recommend that you do periodic reviews of your deployment's security. It's -good practice to keep [JupyterHub](https://readthedocs.org/projects/jupyterhub/), [configurable-http-proxy](https://github.com/jupyterhub/configurable-http-proxy), and [nodejs +good practice to keep [JupyterHub](https://readthedocs.org/projects/jupyterhub/), [configurable-http-proxy][], and [nodejs versions](https://github.com/nodejs/Release) up to date. A handy website for testing your deployment is [Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html). +[configurable-http-proxy]: https://github.com/jupyterhub/configurable-http-proxy + ## Vulnerability reporting If you believe you have found a security vulnerability in JupyterHub, or any