check config file permissions

[oliver-sanders]

Problem

Currently Jupyter Server does not check the permissions of config files before it loads them.

This means that a user could accidentally open up a nasty security vulnerability [1] by making a mistake with their file permissions.

Proposed Solution

Some secure systems such as OpenSSH check the permissions of configuration files [2] to make sure that they are not world-writeable as this would be a security vulnerability.

This is a reasonably simple and inexpensive check that would allow us to detect a condition in which the server is being asked to run in a fundamentally insecure environment.

Do we think this would be a reasonable feature for Jupyter Server?

[1]: These files configure the security of the server and in the case of Python files involve arbitrary code execution.
[2]: More accurately OpenSSH checks the permissions of the directory which contains the configuration file along with SSH key files (which should only be user-readable).

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[kevin-bates]

Hi @oliver-sanders, you raise a very valid issue that should be addressed IMO. Since the configuration subsystem (traitlets) is so heavily tied to the Application class (via JupyterApp), I think it may be difficult to adequately hook this without requiring updates to traitlets itself since the files are loaded essentially at the time of their discovery.

This issue could probably be simplified to just python-based configuration files. These files are indeed executed as part of their load. If we were to update traitlets, this is probably the kind of thing that would need to be optionally enforced. We could unconditionally issue a warning message, but I think any fatal exceptions would require opt-in, not necessarily by the user, but more by the application - at least until a major release cycle (which just happened with traitlets 5.0, and was a long time coming).

I suppose we (Jupyter Server) could patch in our own PyFileConfigLoader subclass that checks if the file is writable by others (and groups?) prior to deferring to its superclass if the perms are sufficient.

I'm also not that familiar with server extension configuration loading, but I would expect that to be similarly intertwined with traitlets, so addressing this at that level seems like the best approach.

I'm hoping there's a more straightforward solution here that I'm not aware of. Ideas?