search

takluyver / nbopen

Open a Jupyter notebook in the best available server
BSD 3-Clause "New" or "Revised" License
301 stars 58 forks source link

Can't open outside of HOME #14

Closed remram44 closed 9 years ago

remram44 commented 9 years ago

I think it's pretty common for Windows users to have files outside their HOME directories. IPython notebooks already have a trust system, does this "security reason" actually stand?

takluyver commented 9 years ago

The security reason is nothing to do with notebook trust, it's because IPython starts a local webserver serving any files under where it starts. If other people can log into your system, or you have accidentally configured IPython to listen on the public network interface, that can expose a whole lot of things. Running notebook servers in home is already a compromise that some people think is risky.

It's not much security, because if someone can talk to a kernel they can get much more access, but we felt it was worth restricting what someone could do just by making straightforward HTTP GET requests for files. We don't serve hidden files or directories, for a similar reason.

I'm not sure why it would be especially common for Windows users to store things outside home, though? AFAIK, the common locations for saving things, like Documents and Desktop, are all within home.

remram44 commented 9 years ago

I for one do not store my programming and work related files under there.

A very common problem is spaces in paths, which breaks a lot of programming tools (historically "C:\Documents and Settings", also special characters in user names; using a different harddrive is also very common (we do not have the nice mount(8) workflow here)).

From what you describe, it doesn't seem like an override option (like --anywhere, #16) would cause any more problems.

tritemio commented 9 years ago

@takluyver In my experience under windows is very common to use a second partition for data (that's the policy in my lab for example). The whole point of nbopen IMHO is being able to open a notebook anywhere, even on a thumbdrive. Unlike on linux, we can't mount a partition, we are stuck with letter C:, D:, etc...

There is a class of beginners that will never configure anything, so they are not at risk. More advanced users that want to tweak the ipython configuration to listen on non local IPs should be warned.

But, if you think about it, commonly you either have a server or a desktop. In the server you don't need nbopen.

So, +1 to allowing opening notebooks anywhere ;). And +1 for providing security warnings.

takluyver commented 9 years ago

I changed my mind ;-)

remram44 commented 9 years ago

:heart_eyes: