Fetched assignments can be seen by other users if home directory has `x` permission

[goekce]

Archlinux, nbgrader 0.8.1, jupyterhub 3.0.0, jupyter-notebook 6.5.2

On a server with many users I have a umask of 077 to protect users' directories from potential listing and reading of their files. The reason is that users can use public_html which requires home directory to be searchable (x permission) and public_html to be readable.

I noticed that the generated assignments get read permission as default as well as the fetched ones. This way the fetched directories are readable by other users if the user has made their home searchable. For example cd /home/user1/assignment; ls issued by another user2 of the same class is then successful. Even user2 cannot list home/user1, they know that the student probably downloaded the assignment and can copy it.

I have the hunch that nbgrader does not respect umask due to the patch #688.

Expected behavior

I would expect that the fetched assignments are not readable.

Actual behavior

Fetched assignment directory is searchable and the files are readable.

Steps to reproduce the behavior

(Set umask to 077), generate assignment, fetch assignment, ls -al assignment

---

If someone can confirm this or has an alternative solution, I would be glad to hear that.

[perllaghu]

There is no real fix for this..... and I suspect the problem is that the files are copied using shutil.copytree, and its documentation implies that the files are copied with their original permissions [so when the files are released]... so will be world readable, so all students can find them & copy them.

It would need a patch to nbgrader/exchange/default/fetch_assignment.py to change the permissions after the copy.... and probably a matching change in fetch_feedback.py