paths.secure_write fails on CIFS volumes

[hroncok]

Hey, at our university Linux computers, we presumably have /home mounted from a CIFS storage.

Jupyter Notebook Kernel fails and I've been able to reproduce the failure by this reproducer:

>>> from jupyter_core.paths import secure_write
>>> with secure_write("/home/hroncmir/.local/share/jupyter/runtime/xxx.json") as f:
...     ...
... 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/contextlib.py", line 112, in __enter__
    return next(self.gen)
  File "/tmp/my/tmpvenv/lib64/python3.7/site-packages/jupyter_core/paths.py", line 412, in secure_write
    .format(file=fname, permissions=os.stat(fname).st_mode))
RuntimeError: Permissions assignment failed for secure file: '/home/hroncmir/.local/share/jupyter/runtime/xxx.json'.Got '33216' instead of '600'

One thing is that the exception is a bit cryptic, in fact, it should run the 33216 number trough oct(stat.S_IMODE(33216)) and say: Got '700' instead of '600'.

The other thing is that I cannot set the mode to 600 on this FS and hence I cannot use Jupyter Notebook.

attrs==19.3.0
backcall==0.1.0
bleach==3.1.0
decorator==4.4.0
defusedxml==0.6.0
entrypoints==0.3
importlib-metadata==0.23
ipykernel==5.1.2
ipython==7.8.0
ipython-genutils==0.2.0
jedi==0.15.1
Jinja2==2.10.3
jsonschema==3.1.1
jupyter-client==5.3.4
jupyter-core==4.6.0
MarkupSafe==1.1.1i
mistune==0.8.4
more-itertools==7.2.0
nbconvert==5.6.0
nbformat==4.4.0
notebook==6.0.1
pandocfilters==1.4.2
parso==0.5.1
pexpect==4.7.0
pickleshare==0.7.5
prometheus-client==0.7.1
prompt-toolkit==2.0.10
ptyprocess==0.6.0
Pygments==2.4.2
pyrsistent==0.15.4
python-dateutil==2.8.0
pyzmq==18.1.0
Send2Trash==1.5.0
six==1.12.0
terminado==0.8.2
testpath==0.4.2
tornado==6.0.3
traitlets==4.3.3
wcwidth==0.1.7
webencodings==0.5.1
zipp==0.6.0

$ mount | grep home/hroncmir
//fsu01/ucebny/home/hroncmir on /home/hroncmir type cifs (rw,nosuid,nodev,relatime,vers=3.0,sec=krb5i,cache=strict,username=hroncmir,uid=1005,forceuid,gid=100,forcegid,addr=10.0.1.54,file_mode=0700,dir_mode=0700,serverino,mapposix,mfsymlinks,fsc,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

@jirutka, do you know more about the FS here?

[hroncok]

Full exception when running Notebook:

[W 12:50:23.726 NotebookApp] The signatures database cannot be opened; maybe it is corrupted or encrypted. You may need to rerun your notebooks to ensure that they are trusted to run Javascript. The old signatures database has been renamed to /home/hroncmir/.local/share/jupyter/nbsignatures.db.bak and a new one has been created.
[W 12:50:28.772 NotebookApp] Failed commiting signatures database to disk. You may need to move the database file to a non-networked file system, using config option `NotebookNotary.db_file`. Using in-memory signatures database for the remainder of this session.
[E 12:50:33.716 NotebookApp] Uncaught exception POST /api/sessions (::1)
    HTTPServerRequest(protocol='http', host='localhost:8888', method='POST', uri='/api/sessions', version='HTTP/1.1', remote_ip='::1')
    Traceback (most recent call last):
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/web.py", line 1699, in _execute
        result = await result
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/notebook/services/sessions/handlers.py", line 72, in post
        type=mtype))
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 735, in run
        value = future.result()
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/notebook/services/sessions/sessionmanager.py", line 88, in create_session
        kernel_id = yield self.start_kernel_for_session(session_id, path, name, type, kernel_name)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 735, in run
        value = future.result()
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 742, in run
        yielded = self.gen.throw(*exc_info)  # type: ignore
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/notebook/services/sessions/sessionmanager.py", line 101, in start_kernel_for_session
        self.kernel_manager.start_kernel(path=kernel_path, kernel_name=kernel_name)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 735, in run
        value = future.result()
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/tornado/gen.py", line 209, in wrapper
        yielded = next(result)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/notebook/services/kernels/kernelmanager.py", line 168, in start_kernel
        super(MappingKernelManager, self).start_kernel(**kwargs)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/jupyter_client/multikernelmanager.py", line 110, in start_kernel
        km.start_kernel(**kwargs)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/jupyter_client/manager.py", line 240, in start_kernel
        self.write_connection_file()
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/jupyter_client/connect.py", line 476, in write_connection_file
        kernel_name=self.kernel_name
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/jupyter_client/connect.py", line 141, in write_connection_file
        with secure_write(fname) as f:
      File "/usr/lib64/python3.7/contextlib.py", line 112, in __enter__
        return next(self.gen)
      File "/home/hroncmir/testvenv/lib64/python3.7/site-packages/jupyter_core/paths.py", line 412, in secure_write
        .format(file=fname, permissions=os.stat(fname).st_mode))
    RuntimeError: Permissions assignment failed for secure file: '/home/hroncmir/.local/share/jupyter/runtime/kernel-ef46c571-e746-48dc-96ac-f1040c68c1a8.json'.Got '33216' instead of '600'
[W 12:50:33.831 NotebookApp] Unhandled error
[E 12:50:33.832 NotebookApp] {
      "Host": "localhost:8888",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
      "Accept": "application/json, text/javascript, */*; q=0.01",
      "Accept-Language": "en-US,en;q=0.5",
      "Accept-Encoding": "gzip, deflate",
      "Referer": "http://localhost:8888/notebooks/Untitled.ipynb?kernel_name=python3",
      "Content-Type": "application/json",
      "X-Xsrftoken": "2|513cd534|08ca710936f29c88644511d7ffeea877|1571223016",
      "X-Requested-With": "XMLHttpRequest",
      "Content-Length": "91",
      "Cookie": "username-localhost-8888=\"2|1:0|10:1571223015|23:username-localhost-8888|44:ODIwM2E3Njc3Y2QwNDkwOWE5NWIyZDMzOTc4Y2YzNDU=|74f870dcfbc073207ab1b1d1171909917ff640c80b5bece69e7a77d1769fcbb6\"; _xsrf=2|513cd534|08ca710936f29c88644511d7ffeea877|1571223016",
      "Connection": "keep-alive"
    }
[E 12:50:33.833 NotebookApp] 500 POST /api/sessions (::1) 214.68ms referer=http://localhost:8888/notebooks/Untitled.ipynb?kernel_name=python3

[hroncok]

Possible workaround:

$ XDG_DATA_HOME=/tmp/xxx python -m notebook

[kevin-bates]

@hroncok - I believe you've provided the missing link here! That CIFS filesystems auto-enable the execute bit. From googling, there are ways to change that behavior, but I don't think we can assume our users have access to that level of configuration, and it could potentially have adverse side affects to other applications. As a result, I think we should tolerate the execute bit on owners.

@MSeal - do you see an issue with this?

I would also like to clean up the comparison check to not use strings and, yes, fix up the log message to use octal (with applicable filtering through S_IMODE).

I can go ahead and submit a PR and we can discuss further in that context.

[hroncok]

Awesome, thanks.

[MSeal]

Yeah execute bit doesn't matter here, just the group / public's read / write bits. I can +1 a PR for that change @kevin-bates

[kevin-bates]

@hroncok - if you'd like to take the changes for a spin on your system, that would be greatly appreciated!