(Windows) Kernel dead due to permission error

[KikeM]

With version 5.3.3 there seems to be a problem running the jupyter app.

I cannot give the traceback call since it could have sensitive information due to the paths and usernames within my company, but I can tell you it reports

PermissionError: [Errno 13] Permission denied: 'Path\\to\\jupyter\\runtime\\specific_file.json'

With version 5.3.1 I do not have this problem.

[kevin-bates]

@KikeM - thank you for the information. However, because this is almost certainly related to the recent secure_write changes, it would helpful if you could provide a "scrubbed" traceback such that the python files and line numbers are preserved? This information would also help determine if your issue is downstream from that code.

If there are usernames, perhaps each unique name could be replaced with a correspondingly unique value ('bob' -> 'xxxx', 'alice' -> 'yyyy'), etc.

Thanks.

[KikeM]

You are very right, I should have thought about that.
Here you go! :D

Environment

Python / Pip

• Python 3.6.7
• pip 18.1

Jupyter-related packages

• jupyter 1.0.0
• jupyter-client 5.3.3
• jupyter-console 6.0.0
• jupyter-contrib-core 0.3.3
• jupyter-contrib-nbextensions 0.5.1
• jupyter-core 4.5.0
• jupyter-highlight-selected-word 0.2.0
• jupyter-latex-envs 1.4.6
• jupyter-nbextensions-configurator 0.4.1
• notebook 6.0.1

Traceback error

The following happened when I clicked on one of the notebooks to open them.

Uncaught exception POST /api/sessions (::1)
    HTTPServerRequest(protocol='http', host='localhost:8889', method='POST', uri='/api/sessions', version='HTTP/1.1', remote_ip='::1')
    Traceback (most recent call last):
      File "yyyyy\envs\env_name\lib\site-packages\tornado\web.py", line 1699, in _execute
        result = await result
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "yyyyy\envs\env_name\lib\site-packages\notebook\services\sessions\handlers.py", line 72, in post
        type=mtype))
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 735, in run
        value = future.result()
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "yyyyy\envs\env_name\lib\site-packages\notebook\services\sessions\sessionmanager.py", line 88, in create_session
        kernel_id = yield self.start_kernel_for_session(session_id, path, name, type, kernel_name)
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 735, in run
        value = future.result()
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "yyyyy\envs\env_name\lib\site-packages\notebook\services\sessions\sessionmanager.py", line 101, in start_kernel_for_session
        self.kernel_manager.start_kernel(path=kernel_path, kernel_name=kernel_name)
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 735, in run
        value = future.result()
      File "yyyyy\envs\env_name\lib\site-packages\tornado\gen.py", line 209, in wrapper
        yielded = next(result)
      File "yyyyy\envs\env_name\lib\site-packages\notebook\services\kernels\kernelmanager.py", line 168, in start_kernel
        super(MappingKernelManager, self).start_kernel(**kwargs)
      File "yyyyy\envs\env_name\lib\site-packages\jupyter_client\multikernelmanager.py", line 110, in start_kernel
        km.start_kernel(**kwargs)
      File "yyyyy\envs\env_name\lib\site-packages\jupyter_client\manager.py", line 240, in start_kernel
        self.write_connection_file()
      File "yyyyy\envs\env_name\lib\site-packages\jupyter_client\connect.py", line 547, in write_connection_file
        kernel_name=self.kernel_name
      File "yyyyy\envs\env_name\lib\site-packages\jupyter_client\connect.py", line 212, in write_connection_file
        with secure_write(fname) as f:
      File "yyyyy\envs\env_name\lib\contextlib.py", line 81, in __enter__
        return next(self.gen)
      File "yyyyy\envs\env_name\lib\site-packages\jupyter_client\connect.py", line 102, in secure_write
        with os.fdopen(os.open(fname, open_flag, 0o600), mode) as f:
    PermissionError: [Errno 13] Permission denied: 'Path\\To\\AppData\\Roaming\\jupyter\\runtime\\kernel-XXXXX.json'

[vidartf]

Having AppData/Roaming seems to indicate that you are on Windows, but you are hitting the non-Windows code path. What is import os; print(repr(os.name)) on your platform?

[vidartf]

I.e., what is it in the environment that the server is running, not the kernel env, in case they differ.

[kevin-bates]

The code path hit above is open to all platforms.

Getting the env is a good idea. I think particularly important to this is whether the user running the notebook server is in the Windows Administrators group or not (I suspect the latter).

Since this doesn't occur with 5.3.1 we know any system-imposed 'policies' are not coming into play[*]. For whatever reason, it looks like win32_restrict_file_to_user() is producing a file that is too restrictive in this scenario.

[*] One thing to note is that the DACL is replaced. If policies are in play, I suppose that replacement could be side-affecting things, such that the subsequent open fails - although I can't contrive an example.

[KikeM]

Answering to your questions:

Having AppData/Roaming seems to indicate that you are on Windows, but you are hitting the non-Windows code path. What is import os; print(repr(os.name)) on your platform?

I am running on Windows but this output was generated in a Git Bash terminal.

The code path hit above is open to all platforms.

Getting the env is a good idea. I think particularly important to this is whether the user running the notebook server is in the Windows Administrators group or not (I suspect the latter). [...]

I am running on a Windows virtualization, in case this might help.

[kevin-bates]

@KikeM - Do you know if the user that started the Notebook server is in the Administrators group (of the virtualized env)?

Are you able to access the kernel-xxxx.json file and get an idea of its current security attributes?

@MSeal, @vidartf - any other things Enrique should check?

[MSeal]

Hmm I actually tested running bash on windows before we released, but I didn't test it with a virtualized windows server. What OS version are you running? From rereading the windows bash virutalization docs it's likely a problem attempting to edit files that aren't mounted in the linux subsystem, which the path in your exception implies is the case for you.

Can you paste what some of your default jupyter path config defaults are?

In [1]: from jupyter_core.paths import jupyter_path, jupyter_config_path, jupyter_data_dir                                                                                    

In [2]: jupyter_path()                                                                                                                      
Out[2]: 
['/home/mseal/.local/share/jupyter',
 '/home/mseal/.py3local/share/jupyter',
 '/usr/local/share/jupyter',
 '/usr/share/jupyter']

In [2]: jupyter_config_path() 
['/home/mseal/.jupyter',
 '/home/mseal/.py3local/etc/jupyter',
 '/usr/local/etc/jupyter',
 '/etc/jupyter']

In [3]: jupyter_data_dir()                                                                                                                 
Out[3]: '/home/mseal/.local/share/jupyter'

If the jupyter_data_dir is the path in the stack trace try setting JUPYTER_DATA_DIR environment variable to a local path in the linux subsystem and see if the error goes away.

If that's the case I think we have a couple options to resolve. Either we'll change jupyter_core to be more aware of linux virtualization in this instance or we can make the windows subpackage install and usage look for the WSL indicators instead of the system platform indicators.

[KikeM]

Here go my default paths:

jupyter_path()

['D:\\Users\\username\\AppData\\Roaming\\jupyter',
 'D:\\Users\\username\\envs\\env_name\\share\\jupyter',
 'C:\\ProgramData\\jupyter']

jupyter_config_path()

 ['D:\\Users\\username\\.jupyter',
 'D:\\Users\\username\\envs\\env_name\\etc\\jupyter',
 'C:\\ProgramData\\jupyter']

jupyter_data_dir()

'D:\\Users\\username\\AppData\\Roaming\\jupyter'

The last one is the one where it is failing to work. I tried to change the JUPYTER_DATA_DIR variable but it didn't fix the problem. Interestingly, Windows and bash backslashes where mixed:

'D:/Users/username/folder/jupyter_test\\runtime\\kernel-1a9f73ca-38c4-4dfe-b9e0-53de440591b6.json'

[heyuanfly]

when i run the cmd as administrator,there is no kernel error
but run cmd directly ,there is a permisson denied.

[kevin-bates]

@heyuanfly - thanks for the information. You're encountering the same issue also described here. The fix for this has been submitted via jupyter/jupyter_core#166 and we're waiting on it being merged so the jupyter_core 4.6.0 release can be cut.

cc: @minrk @takluyver

[KikeM]

I confirm this has been fixed with the 4.6.0 version!

Thank you to everyone who contributed.