sudospawner icon indicating copy to clipboard operation
sudospawner copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

'Add User' not working for admin users with JupyterHub run using PAMAuthentication and SudoSpawner

Open kipstakkr opened this issue 6 years ago • 2 comments
trafficstars

I've configured Jupyterhub with SudoSpawner (which runs as a non-root user) and I'm able to run it without any trouble. But when I logged in with the user rhea (as provided in the example) with admin permissions set, I'm not able to add users in the system. I'm getting the following error:

[E 2019-07-24 08:26:56.638 JupyterHub users:94] Failed to create user: newuser Traceback (most recent call last): File "/opt/conda/lib/python3.6/site-packages/jupyterhub/apihandlers/users.py", line 92, in post await maybe_future(self.authenticator.add_user(user)) File "/opt/conda/lib/python3.6/site-packages/jupyterhub/auth.py", line 711, in add_user await maybe_future(self.add_system_user(user)) File "/opt/conda/lib/python3.6/site-packages/jupyterhub/auth.py", line 771, in add_system_user raise RuntimeError("Failed to create system user %s: %s" % (name, err)) RuntimeError: Failed to create system user newuser: adduser: Only root may add a user or group to the system.

I'm guessing it is caused by running JupyterHub as a non-root user and also using PAM Authentication which eventually uses the system users. The only limitation for my project is I must not run JupyterHub as a root user. Is there a way to add users using sudospawner with a different authenticator, else Is there a way to give restricted sudo permission for the user rhea to be able to add users to the system?? @minrk @willingc @yuvipanda

kipstakkr avatar Jul 24 '19 09:07 kipstakkr

I have the same question,have you solved it ?

guobingzhou avatar Feb 04 '21 10:02 guobingzhou

So I thought I would comment since I have a way to do this:

The issue is that you don't have root anymore so that the adduser command fails.

The local authenticators usually allow you to set an add_user_cmd field:

(Change NameOfAuthenticator to the name of your authentication plugin)

c.NameOfAuthenticator.add_user_cmd = [
    "a_command",
    "an_arg",
    "annother_arg",
]

Which is the command that is passed the username to add to.

You can change it to something like this:

c.NameOfAuthenticator.add_user_cmd = [
    "/usr/bin/sudo",
    "/useradder.sh",
]

Where /useradder.sh is the command that will create and hopefully validate the user.

#! /bin/bash
username="${1}"

# Only except names with 0-9 a-z A-Z and a -
if ! [[ "${username}" =~ ^[0-9a-zA-Z-]+$ ]]; then
  echo "Invalid username" >&2
  exit 1
fi

home="/home/${username}"

# Check if home exists and error if it does
if [ -e "${home}" ]; then
    exit 1
fi

options=(
  "--home-dir=${home}"
  "--create-home"
  "--shell=/bin/bash"
  "--password='!'"
  "${username}"
)

useradd "${options[@]}"

You should ensure this /useradder.sh is tightly controlled on who can read or edit it.

chown root:root /useradder.sh
chmod 700 /useradder.sh

Finally we need a sudoers entry that will allow this user to run the command without password

Mine is in /etc/sudoers.d/hubsudoer with these contents. Change TheUserHubRunsAs to the user that run the hub

Cmnd_Alias JUPYTER_USERADD = /useradder.sh *
TheUserHubRunsAs ALL=(root) NOPASSWD:JUPYTER_USERADD

Which should get it working for you

QuantumEntangledAndy avatar Aug 06 '21 08:08 QuantumEntangledAndy