nbgrader icon indicating copy to clipboard operation
nbgrader copied to clipboard

Published 20 hours ago verified publisher icon jupyter

Impersonation of other users via the exchange

Open rkdarst opened this issue 5 years ago • 7 comments

Thinking about recent discussions of a different type of exchange, I came to the realization... current exchange service, as it's often used, allows one student to impersonate another with a submission if the student ID is not secret. By default this is the account name, which is normally not private. While not possible using default nbgrader code, all students have a Python shell that can run arbitrary commands, which can do anything nbgrader can...

Interestingly on our setup this is even easier (we use university account names), but because students' code is run with filesystem UID, we can at least track the uid that wrote each file...

Just a consideration for any type of exchange service...

rkdarst avatar May 30 '19 07:05 rkdarst

Ah, that's a great point, thanks for bringing this up. I think this should not be a problem with a hubshare-style exchange since you will have to be authenticated through a shared service, but it is definitely a problem for the current version of the exchange.

jhamrick avatar May 30 '19 08:05 jhamrick

Indeed.... and something that needs to be made clear in any documentation for creating alternative exchange services

On Thu, 30 May 2019 at 09:37, Jessica B. Hamrick [email protected] wrote:

Ah, that's a great point, thanks for bringing this up. I think this should not be a problem with a hubshare-style exchange since you will have to be authenticated through a shared service, but it is definitely a problem for the current version of the exchange.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jupyter/nbgrader/issues/1097?email_source=notifications&email_token=AALJCDGK46M7MNSZNF25UETPX6G5NA5CNFSM4HRAAWY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWRXUJA#issuecomment-497252900, or mute the thread https://github.com/notifications/unsubscribe-auth/AALJCDHQDFM32ZDYG4EULMDPX6G5NANCNFSM4HRAAWYQ .

-- Ian

perllaghu avatar May 30 '19 10:05 perllaghu

As pointed out by @jhamrick, #1098 makes it easier to try to impersonate someone else, without having to run custom code.

She suggests to do an a posteriori check upon nbgrader collect and complain if the student_id does not match the file owner, with a config option to disable this check.

nthiery avatar May 30 '19 10:05 nthiery

I'll try to give a shot at this check.

nthiery avatar May 30 '19 10:05 nthiery

I assume the check will be optional or a warning, for the cases where all users run under the same uid (which I guess is the most common case...)

Even in my case, because of some weird NFS authentication stuff I haven't figured out, the UIDs in the instructor notebook aren't displayed correctly to user processes, so this couldn't be used. (I have to use admin access or another system properly in the domain to check uids).

rkdarst avatar May 30 '19 20:05 rkdarst

I assume the check will be optional or a warning

Yes indeed, as a config option.

nthiery avatar May 30 '19 21:05 nthiery

Just for fun... modifying timestamps or files after submission too. I saw than if you nbgrader submit from command line it logs enough to know the dir plus random string...

rkdarst avatar May 31 '19 08:05 rkdarst