Hello Hussein, in a typical Jupyter installation, users have write access to the configuration files and kernel specs. They can wreak all kinds of havoc there. Even if you stop them from messing with configuration files and kernel specs, they may be able to install at ~/.local/ different versions of Python packages, or site-customization files, which are loaded by the Jupyter server on startup. Unless you've taken special precautions, like running the Jupyter server in a read-only environment and without access to the user's home directory, it's safest to assume that it is completely open to modification by users.
I think notebook server extensions are loaded when the server is started. User modifications to the config file will not take effect until the server is restarted. If you're always starting the notebook server from clean config files, for example in a fresh Docker container, there are no user modifications. But if your config files are persistent, the user modifications kick in the next time the server is started. If you prevent users from modifying notebook server extensions, they will not be able to install notebook extensions on their own, which can be annoying: https://stackoverflow.com/a/45961414/5629418 So you have a choice of letting users install their own notebook server extensions and disabling yours, or to block them from changing notebook server extensions at all. I'd love to learn that I'm wrong though... :-) cheers, Roland -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/a1226259-59d8-4531-bd3a-c80257470fb3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
