LocalProcessSpawner preexec problems: groups not set, pam session wrong scope

[clhedrick]

Bug description

Two problems with the preexec passed to Popen when starting the single server:

• If you are using IPA for user/group management, only groups defined in /etc/groups are set, not those that come from LDAP
• If you ask for a PAM session, it puts the top level jupyterhub process in the session, not the single server

For the first, rather than

gids = [g.gr_gid for g in grp.getgrall() if username in g.gr_mem]

in the wrapper, do

       os.initgroups(userent.pw_name, userent.pw_gid)

in the preexec function itself. Initgroups uses undocumented internal libc calls to get just the groups for that user, and is thus much more efficient than getgrall for sites with many users and groups. It also works properly with IPA.

For the second, put the

       pamela.open_session(userent.pw_name,service='jupyterhub')

in the preexec function, not the authentication code.

Here's my actual code, from jupyterhub_config.py

class LocalProcessSpawnerEnv(LocalProcessSpawner):

    async def start(self):
        myuser = self.user.name

        def mypreexec():
           userent = pwd.getpwnam(myuser)
           pamela.open_session(userent.pw_name,service='jupyterhub')
           os.initgroups(userent.pw_name, userent.pw_gid)
           os.setgid(userent.pw_gid)
           os.setuid(userent.pw_uid)
           try:
              os.chdir(userent.pw_dir)
           except:
              pass

        self.popen_kwargs = dict(
           preexec_fn = mypreexec,
           start_new_session=True,  # don't forward signals                                                                
        )

        # actually start the process                                                                                       
        startret = await super().start()

        return startret

How to reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behaviour

Actual behaviour

Your personal set up

• OS:

• Version(s):

Full environment

# paste output of `pip freeze` or `conda list` here

Configuration

# jupyterhub_config.py

Logs

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[minrk]

The PAM sessions being wrong is already open at #2973, documented, and why sessions are off by default.

#4628 may already fix the other issue, though it calls os.getgrouplist instead of os.initgroups, which sounds like it might be better. Would you like to make a PR for that?

[minrk]

If anyone has a Dockerfile where PAM sessions open and close actually do things, that would be a huge help for testing this kind of thing. I tried setting up a simple toy with pam_python, but I can only get it to segfault, not actually do anything.