From 40660e6102fba28ce7c8354aa813ed608f08d129 Mon Sep 17 00:00:00 2001 From: Grant Nestor Date: Sun, 23 Oct 2016 16:38:33 -0700 Subject: [PATCH 1/2] Update security docs to reflect new signature system --- docs/source/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/security.rst b/docs/source/security.rst index 5a81cfddc..c58e9bbdc 100644 --- a/docs/source/security.rst +++ b/docs/source/security.rst @@ -140,6 +140,6 @@ When sharing a notebook secret across configurations, you can use .. sourcecode:: python - c.NotebookApp.secret_file = "/path/to/notebook_secret" + c.NotebookNotary.data_dir = "/path/to/notebook_db" -to specify a non-default path to the secret file. +to specify a non-default path to the SQLite database (of notebook hashes, essentially). We are aware that SQLite doesn't work well on NFS and we are `working out better ways to do this `_. From b5acf7bf1c299223d39025a8efe2756b1a1ae35c Mon Sep 17 00:00:00 2001 From: Thomas Kluyver Date: Mon, 24 Oct 2016 10:59:11 +0100 Subject: [PATCH 2/2] More updates to security doc --- docs/source/security.rst | 45 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/docs/source/security.rst b/docs/source/security.rst index c58e9bbdc..465fa2e71 100644 --- a/docs/source/security.rst +++ b/docs/source/security.rst @@ -5,7 +5,7 @@ Security in Jupyter notebooks As Jupyter notebooks become more popular for sharing and collaboration, the potential for malicious people to attempt to exploit the notebook -for their nefarious purposes increases. IPython 2.0 introduces a +for their nefarious purposes increases. IPython 2.0 introduced a security model to prevent execution of untrusted code without explicit user input. @@ -40,22 +40,19 @@ Our security model The details of trust -------------------- -Jupyter notebooks store a signature in metadata, which is used to answer -the question "Did the current user do this?" +When a notebook is executed and saved, a signature is computed from a +digest of the notebook's contents plus a secret key. This is stored in a +database, writable only by the current user. By default, this is located at:: -This signature is a digest of the notebooks contents plus a secret key, -known only to the user. The secret key is a user-only readable file in -the Jupyter data directory. By default, this is:: + ~/.local/share/jupyter/nbsignatures.db # Linux + ~/Library/Jupyter/nbsignatures.db # OS X + %APPDATA%/jupyter/nbsignatures.db # Windows +Each signature represents a series of outputs which were produced by code the +current user executed, and are therefore trusted. - ~/.local/share/jupyter/notebook_secret # linux - ~/Library/Jupyter/notebook_secret # OS X - %APPDATA%/jupyter/notebook_secret # Windows - - -When a notebook is opened by a user, the server computes a signature -with the user's key, and compares it with the signature stored in the -notebook's metadata. If the signature matches, HTML and Javascript +When you open a notebook, the server computes its signature, and checks if it's +in the database. If a match is found, HTML and Javascript output in the notebook will be trusted at load, otherwise it will be untrusted. @@ -71,7 +68,7 @@ been removed (either via ``Clear Output`` or re-execution), then the notebook will become trusted. While trust is updated per output, this is only for the duration of a -single session. A notebook file on disk is either trusted or not in its +single session. A newly loaded notebook file is either trusted or not in its entirety. Explicit trust @@ -87,8 +84,8 @@ long time. Users can explicitly trust a notebook in two ways: - After loading the untrusted notebook, with ``File / Trust Notebook`` -These two methods simply load the notebook, compute a new signature with -the user's key, and then store the newly signed notebook. +These two methods simply load the notebook, compute a new signature, and add +that signature to the user's database. Reporting security issues ------------------------- @@ -103,9 +100,9 @@ you can use :download:`this PGP public key `. Affected use cases ------------------ -Some use cases that work in Jupyter 1.0 will become less convenient in +Some use cases that work in Jupyter 1.0 became less convenient in 2.0 as a result of the security changes. We do our best to minimize -these annoyance, but security is always at odds with convenience. +these annoyances, but security is always at odds with convenience. Javascript and CSS in Markdown cells ************************************ @@ -133,13 +130,15 @@ in an untrusted state. There are three basic approaches to this: - re-run notebooks when you get them (not always viable) - explicitly trust notebooks via ``jupyter trust`` or the notebook menu (annoying, but easy) -- share a notebook secret, and use configuration dedicated to the +- share a notebook signatures database, and use configuration dedicated to the collaboration while working on the project. -When sharing a notebook secret across configurations, you can use +To share a signatures database among users, you can configure: .. sourcecode:: python - c.NotebookNotary.data_dir = "/path/to/notebook_db" + c.NotebookNotary.data_dir = "/path/to/signature_dir" -to specify a non-default path to the SQLite database (of notebook hashes, essentially). We are aware that SQLite doesn't work well on NFS and we are `working out better ways to do this `_. +to specify a non-default path to the SQLite database (of notebook hashes, +essentially). We are aware that SQLite doesn't work well on NFS and we are +`working out better ways to do this `_.