Impersonation of other users via the exchange

[rkdarst]

Thinking about recent discussions of a different type of exchange, I came to the realization... current exchange service, as it's often used, allows one student to impersonate another with a submission if the student ID is not secret. By default this is the account name, which is normally not private. While not possible using default nbgrader code, all students have a Python shell that can run arbitrary commands, which can do anything nbgrader can...

Interestingly on our setup this is even easier (we use university account names), but because students' code is run with filesystem UID, we can at least track the uid that wrote each file...

Just a consideration for any type of exchange service...

[jhamrick]

Ah, that's a great point, thanks for bringing this up. I think this should not be a problem with a hubshare-style exchange since you will have to be authenticated through a shared service, but it is definitely a problem for the current version of the exchange.

[perllaghu]

Indeed.... and something that needs to be made clear in any documentation for creating alternative exchange services

…

On Thu, 30 May 2019 at 09:37, Jessica B. Hamrick ***@***.***> wrote: Ah, that's a great point, thanks for bringing this up. I think this should not be a problem with a hubshare-style exchange since you will have to be authenticated through a shared service, but it is definitely a problem for the current version of the exchange. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1097?email_source=notifications&email_token=AALJCDGK46M7MNSZNF25UETPX6G5NA5CNFSM4HRAAWY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWRXUJA#issuecomment-497252900>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALJCDHQDFM32ZDYG4EULMDPX6G5NANCNFSM4HRAAWYQ> .

-- Ian

[nthiery]

As pointed out by @jhamrick, #1098 makes it easier to try to impersonate someone else, without having to run custom code.

She suggests to do an a posteriori check upon nbgrader collect and complain if the student_id does not match the file owner, with a config option to disable this check.

[nthiery]

I'll try to give a shot at this check.

[rkdarst]

I assume the check will be optional or a warning, for the cases where all users run under the same uid (which I guess is the most common case...)

Even in my case, because of some weird NFS authentication stuff I haven't figured out, the UIDs in the instructor notebook aren't displayed correctly to user processes, so this couldn't be used. (I have to use admin access or another system properly in the domain to check uids).

[nthiery]

I assume the check will be optional or a warning

Yes indeed, as a config option.

[rkdarst]

Just for fun... modifying timestamps or files after submission too. I saw than if you nbgrader submit from command line it logs enough to know the dir plus random string...