Skip to content

fix(docker-jupyter): restrict bind directory to 0o700#7872

Open
camgrimsec wants to merge 1 commit into
microsoft:mainfrom
camgrimsec:fix/docker-jupyter-bind-perms-0700
Open

fix(docker-jupyter): restrict bind directory to 0o700#7872
camgrimsec wants to merge 1 commit into
microsoft:mainfrom
camgrimsec:fix/docker-jupyter-bind-perms-0700

Conversation

@camgrimsec

@camgrimsec camgrimsec commented Jun 20, 2026

Copy link
Copy Markdown

The DockerJupyterServer bind directory was created with 0o777 (world read/write/execute), exposing agent-generated code and Jupyter session artifacts to any local user on the host.

Docker bind mounts preserve host ownership, so the container process (uid 1000 / jovyan) retains the access it needs regardless of host-side mode. 0o700 keeps the container fully functional while removing the unnecessary host-side exposure.

Refs CWE-732 (Incorrect Permission Assignment for Critical Resource).

Why are these changes needed?

Related issue number

Checks

@camgrimsec
fix(docker-jupyter): restrict bind directory to 0o700
9fa1edd 
The DockerJupyterServer bind directory was created with 0o777 (world
read/write/execute), exposing agent-generated code and Jupyter session
artifacts to any local user on the host.

Docker bind mounts preserve host ownership, so the container process
(uid 1000 / jovyan) retains the access it needs regardless of host-side
mode. 0o700 keeps the container fully functional while removing the
unnecessary host-side exposure.

Refs CWE-732 (Incorrect Permission Assignment for Critical Resource).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@camgrimsec