Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permission denied regression reading extracted certs with multiple users #6764

Open
jmelahman opened this issue Jul 9, 2024 · 1 comment
Open

permission denied regression reading extracted certs with multiple users #6764

jmelahman opened this issue Jul 9, 2024 · 1 comment

Comments

@jmelahman
Copy link

If it is necessary to extract the certs from a zip file, they'll be written to somewhere like /tmp/cacert.pem. This is problematic for subsequent users who may not have have permission to access this /tmp/cacert.pem

Seems related to #6667

Note, this issue was not present with version 2.31.0

Expected Result

two users should be able to extract zipped certs on the same filesystem without issue

Actual Result

Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/jamison/.../__main__.py", line 83, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/..., line 22, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/..., line 13, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/__init__.py", line 164, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/api.py", line 11, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/sessions.py", line 15, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/adapters.py", line 77, in <module>
PermissionError: [Errno 13] Permission denied

Reproduction Steps

touch /tmp/test_utils.py
chown root:root /tmp/test_utils.py
python -m pytest test/test_utils.py

The full end-to-end steps are a bit involved. A,
__main__,py

import requests

as a standalone zip executable is enough to repro (though I haven't been able to repro with executables that unarchive themselves such as zipapp -- in this case, we're using something similar to google's subpar).

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.3.2"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.12.3"
  },
  "platform": {
    "release": "6.6.32-1-lts",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.32.3"
  },
  "system_ssl": {
    "version": "30300000"
  },
  "urllib3": {
    "version": "2.2.2"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}
@jmelahman
Copy link
Author

I think this is fundamentally the same issue as #5994 which was marked as won't fix.

Happy to contribute a fix if there is a satisfactory solution. In my case, the file permissions less of the issue and more so this file is not guaranteed to be owned by the current user. Possible solutions I see include:

  • embed the user metadata into the filename. /tmp/cacert.pem becomes /tmp/jamison_cacert.pem. Not foolproof, but simple and resolves my issue.
  • replace this /tmp/cacert.pem with a random temporary file (similar to what certifi would do). I'm not sure how long this file would need to live on disk, but maybe now with preloading the certs, this file can be removed after this initial load.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jmelahman