Default ACLs in Neurodesk Dockerfile Overriding JupyterHub Pre-spawn Hook Permissions

[wieluk]

Hi there,

I've noticed that the Dockerfile for the Neurodesk container sets default ACLs on the home directory on lines 87 and 88:

# Set home directory default acls
RUN chmod g+rwxs /home/${NB_USER}
RUN setfacl -dRm u::rwX,g::rwX,o::0 /home/${NB_USER}

While I understand the intent behind these settings, they are causing issues when I create user directories via a JupyterHub pre-spawn hook. The default ACLs force unwanted permission bits (such as the setgid bit and removing permissions for others) on directories created under /home/${NB_USER}, effectively overwriting the permissions set by my pre-spawn hook.

Do you know any way to prevent this?

Thank you very much for your time and for maintaining such a great project!

[stebo85]

@aswinnarayanan ?

[aswinnarayanan]

Might need to consider removing this blanket home dir permission and acl assignment.

I think this was to solve issues with notebooks that were started up without properly configured home dir permissions.
And to handle the saving and restoring of home dir in kubernetes.

Let me have a look through and get back.