From fce599596e2c426146fd1e3a6873a08fe4323a02 Mon Sep 17 00:00:00 2001
From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
Date: Wed, 6 Jun 2018 14:21:03 +1000
Subject: [PATCH 1/2] Remove writable group file due to issues with being able
 to give su access when shouldn't be allowed.

---
 base-notebook/Dockerfile | 2 +-
 base-notebook/start.sh   | 8 +-------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/base-notebook/Dockerfile b/base-notebook/Dockerfile
index f33c270666..bb439f485e 100644
--- a/base-notebook/Dockerfile
+++ b/base-notebook/Dockerfile
@@ -50,7 +50,7 @@ ADD fix-permissions /usr/local/bin/fix-permissions
 RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
     mkdir -p $CONDA_DIR && \
     chown $NB_USER:$NB_GID $CONDA_DIR && \
-    chmod g+w /etc/passwd /etc/group && \
+    chmod g+w /etc/passwd && \
     fix-permissions $HOME && \
     fix-permissions $CONDA_DIR
 
diff --git a/base-notebook/start.sh b/base-notebook/start.sh
index a58e1e38c2..1767c7328b 100755
--- a/base-notebook/start.sh
+++ b/base-notebook/start.sh
@@ -94,8 +94,7 @@ else
         # User is not attempting to override user/group via environment
         # variables, but they could still have overridden the uid/gid that
         # container runs as. Check that the user has an entry in the passwd
-        # file and if not add an entry. Also add a group file entry if the
-        # uid has its own distinct group but there is no entry.
+        # file and if not add an entry.
         whoami &> /dev/null || STATUS=$? && true
         if [[ "$STATUS" != "0" ]]; then
             if [[ -w /etc/passwd ]]; then
@@ -104,11 +103,6 @@ else
                 echo "jovyan:x:$(id -u):$(id -g):,,,:/home/jovyan:/bin/bash" >> /tmp/passwd
                 cat /tmp/passwd > /etc/passwd
                 rm /tmp/passwd
-                id -G -n 2>/dev/null | grep -q -w $(id -u) || STATUS=$? && true
-                if [[ "$STATUS" != "0" && "$(id -g)" == "0" ]]; then
-                    echo "Adding group file entry for $(id -u)"
-                    echo "jovyan:x:$(id -u):" >> /etc/group
-                fi
             else
                 echo 'Container must be run with group "root" to update passwd file'
             fi

From 47e120db74f18aa0610f21232d66426001765017 Mon Sep 17 00:00:00 2001
From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
Date: Thu, 7 Jun 2018 10:02:31 +1000
Subject: [PATCH 2/2] Restrict su to users in group wheel so can't be used when
 run as random uid not in passwd file.

---
 base-notebook/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base-notebook/Dockerfile b/base-notebook/Dockerfile
index bb439f485e..2a2125b3f8 100644
--- a/base-notebook/Dockerfile
+++ b/base-notebook/Dockerfile
@@ -47,7 +47,9 @@ ENV PATH=$CONDA_DIR/bin:$PATH \
 ADD fix-permissions /usr/local/bin/fix-permissions
 # Create jovyan user with UID=1000 and in the 'users' group
 # and make sure these dirs are writable by the `users` group.
-RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
+RUN groupadd wheel -g 11 && \
+    echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && \
+    useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
     mkdir -p $CONDA_DIR && \
     chown $NB_USER:$NB_GID $CONDA_DIR && \
     chmod g+w /etc/passwd && \