From 35b06481e2235d433748c8a4343a98a5f2aa0461 Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Sun, 23 Oct 2022 19:03:32 +0100 Subject: [PATCH 1/4] Update config-sudo.md --- docs/source/reference/config-sudo.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/source/reference/config-sudo.md b/docs/source/reference/config-sudo.md index 33e1ad00..35a59bce 100644 --- a/docs/source/reference/config-sudo.md +++ b/docs/source/reference/config-sudo.md @@ -6,8 +6,8 @@ Only do this if you are very sure you must. ## Overview -There are many Authenticators and Spawners available for JupyterHub. Some, such -as DockerSpawner or OAuthenticator, do not need any elevated permissions. This +There are many [Authenticators](./authenticators-users-basics) and [Spawners](./spawners-basics) available for JupyterHub. Some, such +as [DockerSpawner](https://github.com/jupyterhub/dockerspawner) or [OAuthenticator](https://github.com/jupyterhub/oauthenticator), do not need any elevated permissions. This document describes how to get the full default behavior of JupyterHub while running notebook servers as real system users on a shared system without running the Hub itself as root. @@ -46,7 +46,7 @@ We want to confine these permissions to only what we really need. ## Edit `/etc/sudoers` -To do this we add to `/etc/sudoers` (use `visudo` for safe editing of sudoers): +To do this we write to `/etc/sudoers` (use `visudo` for safe editing of sudoers): - specify the list of users `JUPYTER_USERS` for whom `rhea` can spawn servers - set the command `JUPYTER_CMD` that `rhea` can execute on behalf of users @@ -150,7 +150,7 @@ We want our new user to be able to read the shadow passwords, so add it to the s $ sudo usermod -a -G shadow rhea ``` -If you want jupyterhub to serve pages on a restricted port (such as port 80 for http), +If you want jupyterhub to serve pages on a restricted port (such as port 80 for HTTP), then you will need to give `node` permission to do so: ```bash From 7b636b6f9c96f4e2174a34952c474db92cd98af5 Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Sun, 23 Oct 2022 19:26:24 +0100 Subject: [PATCH 2/4] Update config-sudo.md --- docs/source/reference/config-sudo.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/source/reference/config-sudo.md b/docs/source/reference/config-sudo.md index 35a59bce..55ad2fb3 100644 --- a/docs/source/reference/config-sudo.md +++ b/docs/source/reference/config-sudo.md @@ -9,7 +9,7 @@ Only do this if you are very sure you must. There are many [Authenticators](./authenticators-users-basics) and [Spawners](./spawners-basics) available for JupyterHub. Some, such as [DockerSpawner](https://github.com/jupyterhub/dockerspawner) or [OAuthenticator](https://github.com/jupyterhub/oauthenticator), do not need any elevated permissions. This document describes how to get the full default behavior of JupyterHub while -running notebook servers as real system users on a shared system without +running notebook servers as real system users on a shared system, without running the Hub itself as root. Since JupyterHub needs to spawn processes as other users, the simplest way @@ -90,7 +90,7 @@ $ adduser -G jupyterhub newuser Test that the new user doesn't need to enter a password to run the sudospawner command. -This should prompt for your password to switch to rhea, but _not_ prompt for +This should prompt for your password to switch to `rhea`, but _not_ prompt for any password for the second switch. It should show some help output about logging options: @@ -119,7 +119,7 @@ the shadow password database. ### Shadow group (Linux) -**Note:** On Fedora based distributions there is no clear way to configure +**Note:** On [Fedora based distributions](https://fedoraproject.org/wiki/List_of_Fedora_remixes) there is no clear way to configure the PAM database to allow sufficient access for authenticating with the target user's password from JupyterHub. As a workaround we recommend use an [alternative authentication method](https://github.com/jupyterhub/jupyterhub/wiki/Authenticators). @@ -226,7 +226,7 @@ And try logging in. ## Troubleshooting: SELinux If you still get a generic `Permission denied` `PermissionError`, it's possible SELinux is blocking you. -Here's how you can make a module to allow this. +Here's how you can make a module to resolve this. First, put this in a file named `sudo_exec_selinux.te`: ```bash @@ -253,6 +253,6 @@ $ semodule -i sudo_exec_selinux.pp ## Troubleshooting: PAM session errors If the PAM authentication doesn't work and you see errors for -`login:session-auth`, or similar, considering updating to a more recent version -of jupyterhub and disabling the opening of PAM sessions with +`login:session-auth`, or similar, consider updating to a more recent [version +of jupyterhub](https://readthedocs.org/projects/jupyterhub/) and disabling the opening of PAM sessions with `c.PAMAuthenticator.open_sessions=False`. From e76e9099c2bba2d472b02a2a09741e79beb27431 Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Mon, 24 Oct 2022 11:33:48 +0100 Subject: [PATCH 3/4] Update docs/source/reference/config-sudo.md Co-authored-by: Min RK --- docs/source/reference/config-sudo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/reference/config-sudo.md b/docs/source/reference/config-sudo.md index 55ad2fb3..1db337f1 100644 --- a/docs/source/reference/config-sudo.md +++ b/docs/source/reference/config-sudo.md @@ -46,7 +46,7 @@ We want to confine these permissions to only what we really need. ## Edit `/etc/sudoers` -To do this we write to `/etc/sudoers` (use `visudo` for safe editing of sudoers): +To do this we add to `/etc/sudoers` (use `visudo` for safe editing of sudoers): - specify the list of users `JUPYTER_USERS` for whom `rhea` can spawn servers - set the command `JUPYTER_CMD` that `rhea` can execute on behalf of users From 1c95d94b96c4e3d890b2cbc144d3c514ee44459c Mon Sep 17 00:00:00 2001 From: Christian Dike Date: Mon, 24 Oct 2022 11:38:58 +0100 Subject: [PATCH 4/4] Update config-sudo.md --- docs/source/reference/config-sudo.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/reference/config-sudo.md b/docs/source/reference/config-sudo.md index 1db337f1..2962ae97 100644 --- a/docs/source/reference/config-sudo.md +++ b/docs/source/reference/config-sudo.md @@ -253,6 +253,6 @@ $ semodule -i sudo_exec_selinux.pp ## Troubleshooting: PAM session errors If the PAM authentication doesn't work and you see errors for -`login:session-auth`, or similar, consider updating to a more recent [version -of jupyterhub](https://readthedocs.org/projects/jupyterhub/) and disabling the opening of PAM sessions with +`login:session-auth`, or similar, consider updating to a more recent version +of jupyterhub and disabling the opening of PAM sessions with `c.PAMAuthenticator.open_sessions=False`.