Skip to content

Commit 5ed91e8

Browse files
parenteparente
authored
Merge pull request #845 from jupyter-on-openshift/block-su-and-sudo
Disable su/sudo access unless sudo explicitly enabled for a specific user using GRANT_SUDO.
2 parents 6576148 + d52c702 commit 5ed91e8

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

base-notebook/Dockerfile

+3-2
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,9 @@ RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashr
4949

5050
# Create NB_USER wtih name jovyan user with UID=1000 and in the 'users' group
5151
# and make sure these dirs are writable by the `users` group.
52-
RUN groupadd wheel -g 11 && \
53-
echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && \
52+
RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
53+
sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
54+
sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
5455
useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
5556
mkdir -p $CONDA_DIR && \
5657
chown $NB_USER:$NB_GID $CONDA_DIR && \

0 commit comments

Comments
 (0)