You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Angelo Steffenel <an...@lsteffenel.fr> on 2017/03/06 12:18:10 UTC
Isolation issues
Dear all, I’m trying to set Zeppelin as the frontend for a small cluster I use with my students.
After a few tests I found that anyone can access and even modify system files (for example, they can make "ls /etc" or even "rm -rf ~" when using %sh).
Is there a way to define a homedir so that all the users see resides below that directory (like the --notebook-dir option in Jupyter)? I know that this can be achieved using Docker but it seems an unnecessary layer…
Sorry if my question is dumb, I'm just starting using Zeppelin but I was unable to find an answer in the docs or in the mailing list archives.
Best regards,
Angelo
R: Isolation issues
Posted by SAGGINO RAFFAELE <ra...@intesasanpaolo.com>.
Dear Paul,
I think docker is your best option at the moment.
> When you start zeppelin can you do it as a user with fewer privileges?
Yes, I am currently running Zeppelin 0.7.0 with a normal user, you just need to properly set environment variables (i.e. SPARK_HOME etc.).
Raffaele
Da: Angelo Steffenel [mailto:angelo@lsteffenel.fr]
Inviato: lunedì 6 marzo 2017 16:02
A: users@zeppelin.apache.org
Oggetto: Re: Isolation issues
Hello Paul,
I thought about that option but it is still a hack, and it is not sure that would prevent users from snooping the system configurations (unless I block the rights to read files, but that’s too exaggerate).
Having a basedir would be easier and more elegant, like on most http servers (one should not be able to access http://domain.com/../../etc, for example).
Thanks anyway for the hint!
Angelo
Le 6 mars 2017 à 14:27, Paul Brenner <pb...@placeiq.com>> a écrit :
[Immagine rimossa dal mittente.]
When you start zeppelin can you do it as a user with fewer privileges? We created a user specifically for starting zeppelin server and set access limits to that user. Kind of a hack, so perhaps others will chime in with more elegant solutions.
[Immagine rimossa dal mittente.]<http://www.placeiq.com/>
Paul Brenner
[Immagine rimossa dal mittente.]<https://twitter.com/placeiq>
[Immagine rimossa dal mittente.]<https://www.facebook.com/PlaceIQ>
[Immagine rimossa dal mittente.]<https://www.linkedin.com/company/placeiq>
DATA SCIENTIST
(217) 390-3033<tel:(217)%20390-3033>
[Immagine rimossa dal mittente. PlaceIQ:Location Data Accuracy]<http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>
On Mon, Mar 06, 2017 at 7:18 AM Angelo Steffenel <Angelo Steffenel <mailto:Angelo%20Steffenel%20%3cangelo@lsteffenel.fr%3e> > wrote:
Dear all, I’m trying to set Zeppelin as the frontend for a small cluster I use with my students.
After a few tests I found that anyone can access and even modify system files (for example, they can make "ls /etc" or even "rm -rf ~" when using %sh).
Is there a way to define a homedir so that all the users see resides below that directory (like the --notebook-dir option in Jupyter)? I know that this can be achieved using Docker but it seems an unnecessary layer…
Sorry if my question is dumb, I'm just starting using Zeppelin but I was unable to find an answer in the docs or in the mailing list archives.
Best regards,
Angelo
Prima di stampare, pensa all'ambiente ** Think about the environment before printing
________________________________
Il presente messaggio, inclusi gli eventuali allegati, ha natura aziendale e potrebbe contenere informazioni confidenziali e/o riservate. Chiunque lo ricevesse per errore, è pregato di avvisare tempestivamente il mittente e di cancellarlo.
E’ strettamente vietata qualsiasi forma di utilizzo, riproduzione o diffusione non autorizzata del contenuto di questo messaggio o di parte di esso.
Pur essendo state assunte le dovute precauzioni per ridurre al minimo il rischio di trasmissione di virus, si suggerisce di effettuare gli opportuni controlli sui documenti allegati al presente messaggio. Non si assume alcuna responsabilità per eventuali danni o perdite derivanti dalla presenza di virus.
Per lo svolgimento delle attività di investimento nel Regno Unito, la società è autorizzata da Banca d'Italia ed è soggetta alla vigilanza limitata della Financial Conduct Authority ( FCA ) e della Prudential Regulation Authority ( PRA ) . Maggiori informazioni in merito ai poteri di vigilanza della Financial Conduct Authority ( FCA ) e della Prudential Regulation Authority ( PRA ) sono a disposizione previa richiesta.
Nel Regno Unito Intesa Sanpaolo S.p.A. opera attraverso la filiale di Londra, sita in 90 Queen Street, London EC4N 1SA, registrata in Inghilterra & Galles sotto No.FC016201, Branch No.BR000036
In osservanza dei requisito imposti dal Internal Revenue Service (Agenzia delle Entrate degli Stati Uniti), qualunque discussione relativa a temi di natura fiscale contenuta in questo messaggio o nei suoi allegati non e’ intesa ne’ e’ stata scritta per essere utilizzata, ne’ puo’ essere utilizata per (i) evitare l’imposizione di gravami fiscali secondo il codice tributario vigente negli Stati Uniti o (ii) per promuovere, sollecitare o raccomandare una operazione finanziaria o altra transazione indirizzata ad un altro destinatario.
Nella Repubblica d’Irlanda, Intesa Sanpaolo Bank Ireland plc è regolamentata dalla Banca Centrale d’Irlanda ed è parte del Gruppo Bancario Intesa Sanpaolo S.p.A. Registrata in Irlanda come società numero 125216 – IVA Reg. IE4817418C IE, sita in, KBC House, 4 George Dock, IFSC, Dublino 1, Irlanda.
***
________________________________
This email (including any attachment) is a corporate message and may contain confidential and/or privileged and/or proprietary information. If you have received this email in error, please notify the sender immediately, do not use or share it and destroy this email. Any unauthorised use, copying or disclosure of the material in this email or of parts hereof (including reliance thereon) is strictly forbidden.
We have taken precautions to minimize the risk of transmitting software viruses but nevertheless advise you to carry out your own virus checks on any attachment of this message. We accept no liability for loss or damage caused by software viruses.
For the conduct of investment business in the UK, the Company is authorised by Banca d’Italia and subject to limited regulation in the UK by the Financial Conduct Authority ( FCA ) and the Prudential Regulation Authority ( PRA ). Details about the extent of our regulation by the Financial Conduct Authority ( FCA ) and the Prudential Regulation Authority ( PRA ) are available from us on request.
In the UK Intesa Sanpaolo S.p.A. operates through its London Branch, located at 90 Queen Street, London EC4N 1SA. Registered in England & Wales under No.FC016201, Branch No.BR000036
To comply with requirements imposed by the IRS, we inform you that any discussion of U.S. federal tax issues contained herein (including any attachments) was not intended or written to be used, and cannot be used by you, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending any transaction or matter addressed herein to another party.
In the Republic of Ireland, Intesa Sanpaolo Bank Ireland plc is regulated by the Central Bank of Ireland and is a member of the Intesa Sanpaolo Group. It is registered in Ireland as company no.125216 – VAT Reg. No. IE 4817418C and located at, 3rd Floor, KBC House, 4 George’s Dock, IFSC, Dublin 1, Ireland.
Re: Isolation issues
Posted by Angelo Steffenel <an...@lsteffenel.fr>.
Hello Paul,
I thought about that option but it is still a hack, and it is not sure that would prevent users from snooping the system configurations (unless I block the rights to read files, but that’s too exaggerate).
Having a basedir would be easier and more elegant, like on most http servers (one should not be able to access http://domain.com/../../etc <http://domain.com/etc>, for example).
Thanks anyway for the hint!
Angelo
> Le 6 mars 2017 à 14:27, Paul Brenner <pb...@placeiq.com> a écrit :
>
>
> When you start zeppelin can you do it as a user with fewer privileges? We created a user specifically for starting zeppelin server and set access limits to that user. Kind of a hack, so perhaps others will chime in with more elegant solutions.
>
> <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Paul Brenner <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq>
> DATA SCIENTIST
> (217) 390-3033 <tel:(217)%20390-3033>
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>
>
> On Mon, Mar 06, 2017 at 7:18 AM Angelo Steffenel <Angelo Steffenel <mailto:Angelo Steffenel <an...@lsteffenel.fr>>> wrote:
> Dear all, I’m trying to set Zeppelin as the frontend for a small cluster I use with my students.
>
> After a few tests I found that anyone can access and even modify system files (for example, they can make "ls /etc" or even "rm -rf ~" when using %sh).
> Is there a way to define a homedir so that all the users see resides below that directory (like the --notebook-dir option in Jupyter)? I know that this can be achieved using Docker but it seems an unnecessary layer…
>
> Sorry if my question is dumb, I'm just starting using Zeppelin but I was unable to find an answer in the docs or in the mailing list archives.
>
> Best regards,
>
>
>
> Angelo
>
Isolation issues
Posted by Paul Brenner <pb...@placeiq.com>.
When you start zeppelin can you do it as a user with fewer privileges? We created a user specifically for starting zeppelin server and set access limits to that user. Kind of a hack, so perhaps others will chime in with more elegant solutions.
http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/
Paul Brenner
https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq
DATA SCIENTIST
tel:(217)%20390-3033
http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/
On Mon, Mar 06, 2017 at 7:18 AM Angelo Steffenel
<
mailto:Angelo Steffenel <an...@lsteffenel.fr>
> wrote:
a, pre, code, a:link, body { word-wrap: break-word !important; }
Dear all, I’m trying to set Zeppelin as the frontend for a small cluster I use with my students.
After a few tests I found that anyone can access and even modify system files (for example, they can make "ls /etc" or even "rm -rf ~" when using %sh).
Is there a way to define a homedir so that all the users see resides below that directory (like the --notebook-dir option in Jupyter)? I know that this can be achieved using Docker but it seems an unnecessary layer…
Sorry if my question is dumb, I'm just starting using Zeppelin but I was unable to find an answer in the docs or in the mailing list archives.
Best regards,
Angelo