You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Two problems with the preexec passed to Popen when starting the single server:
If you are using IPA for user/group management, only groups defined in /etc/groups are set, not those that come from LDAP
If you ask for a PAM session, it puts the top level jupyterhub process in the session, not the single server
For the first, rather than
gids = [g.gr_gid for g in grp.getgrall() if username in g.gr_mem]
in the wrapper, do
os.initgroups(userent.pw_name, userent.pw_gid)
in the preexec function itself. Initgroups uses undocumented internal libc calls to get just the groups for that user, and is thus much more efficient than getgrall for sites with many users and groups. It also works properly with IPA.
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋
The PAM sessions being wrong is already open at #2973, documented, and why sessions are off by default.
#4628 may already fix the other issue, though it calls os.getgrouplist instead of os.initgroups, which sounds like it might be better. Would you like to make a PR for that?
If anyone has a Dockerfile where PAM sessions open and close actually do things, that would be a huge help for testing this kind of thing. I tried setting up a simple toy with pam_python, but I can only get it to segfault, not actually do anything.
Bug description
Two problems with the preexec passed to Popen when starting the single server:
For the first, rather than
in the wrapper, do
in the preexec function itself. Initgroups uses undocumented internal libc calls to get just the groups for that user, and is thus much more efficient than getgrall for sites with many users and groups. It also works properly with IPA.
For the second, put the
in the preexec function, not the authentication code.
Here's my actual code, from jupyterhub_config.py
How to reproduce
Expected behaviour
Actual behaviour
Your personal set up
Full environment
Configuration
# jupyterhub_config.py
Logs
The text was updated successfully, but these errors were encountered: