SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

allisonkarlitskaya · 2023-12-06T13:45:19Z

Bug report

Bug description:

Python 3.12.0 (main, Oct  2 2023, 00:00:00) [GCC 13.2.1 20230918 (Red Hat 13.2.1-3)] on linux

aka python3-3.12.0-1.fc39.x86_64.

Run this code on your Linux system with pkexec setup. That should work on any normalish GNOME system, I'd guess. I'm using Fedora 39.

import asyncio


class MyProtocol(asyncio.SubprocessProtocol):
    pass


async def run():
    loop = asyncio.get_running_loop()
    transport, protocol = await loop.subprocess_exec(MyProtocol, 'pkexec', 'cat')
    await asyncio.sleep(10)
    transport.close()


asyncio.run(run())

You should get a popup to enter your admin password. Do that within 10 seconds. Then cat (which now has the same PID as we spawned pkexec with) will be running as root.

transport.close() attempts to kill() that PID, which fails:

Traceback (most recent call last):
  File "/var/home/lis/src/cockpit/ferny-transport/break.py", line 15, in <module>
    asyncio.run(run())
  File "/usr/lib64/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/asyncio/base_events.py", line 664, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/var/home/lis/src/cockpit/ferny-transport/break.py", line 12, in run
    transport.close()
  File "/usr/lib64/python3.12/asyncio/base_subprocess.py", line 117, in close
    self._proc.kill()
  File "/usr/lib64/python3.12/subprocess.py", line 2209, in kill
    self.send_signal(signal.SIGKILL)
  File "/usr/lib64/python3.12/subprocess.py", line 2196, in send_signal
    os.kill(self.pid, sig)
PermissionError: [Errno 1] Operation not permitted

Probably the call to self._proc.kill() in .close() should be guarded to ignore PermissionError. It already ignores ProcessLookupError:

            try:
                self._proc.kill()
            except ProcessLookupError:
                pass

There are many other setuid utilities that this doesn't seem to be a problem with. The shadow-utils tools like passwd seem to remain killable, as does sudo (which keeps a process running around and forks off to spawn the desired command as root). In fact, pkexec was the only tool I could find that causes this issue, but as viewed from the Python side, we clearly cannot necessarily rely on being able to .kill() a PID that we created.

Thanks!

CPython versions tested on:

3.12, 3.13

Operating systems tested on:

Linux

Linked PRs

gh-112800: Ignore PermissionError on SubprocessTransport.close() #112803

The text was updated successfully, but these errors were encountered:

In case the spawned process is setuid, we may not be able to send signals to it, in which case our .kill() call will raise PermissionError. Ignore that in order to avoid .close() raising an exception. Hopefully the process will exit as a result of receiving EOF on its stdin.

See python/cpython#112800

…syncio (#112803) In case the spawned process is setuid, we may not be able to send signals to it, in which case our .kill() call will raise PermissionError. Ignore that in order to avoid .close() raising an exception. Hopefully the process will exit as a result of receiving EOF on its stdin.

…) in asyncio (python#112803) In case the spawned process is setuid, we may not be able to send signals to it, in which case our .kill() call will raise PermissionError. Ignore that in order to avoid .close() raising an exception. Hopefully the process will exit as a result of receiving EOF on its stdin.

allisonkarlitskaya added the type-bug An unexpected behavior, bug, or error label Dec 6, 2023

AlexWaygood added the topic-asyncio label Dec 6, 2023

github-project-automation bot added this to asyncio Dec 6, 2023

github-project-automation bot moved this to Todo in asyncio Dec 6, 2023

This was referenced Dec 6, 2023

gh-112800: Ignore PermissionError on SubprocessTransport.close() #112803

Merged

massive Peer rework, based on FernyTransport cockpit-project/cockpit#19668

Closed

allisonkarlitskaya added a commit to allisonkarlitskaya/ferny that referenced this issue Dec 6, 2023

transport: suppress PermissionError from SubprocessTransport.close()

5457cf0

See python/cpython#112800

allisonkarlitskaya mentioned this issue Dec 6, 2023

transport: suppress PermissionError from SubprocessTransport.close() allisonkarlitskaya/ferny#24

Merged

allisonkarlitskaya added a commit to allisonkarlitskaya/ferny that referenced this issue Dec 6, 2023

transport: suppress PermissionError from SubprocessTransport.close()

8495022

See python/cpython#112800

gvanrossum closed this as completed in #112803 Dec 24, 2023

github-project-automation bot moved this from Todo to Done in asyncio Dec 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

allisonkarlitskaya commented Dec 6, 2023 •

edited by bedevere-app bot

Loading

SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

Comments

allisonkarlitskaya commented Dec 6, 2023 • edited by bedevere-app bot Loading

Bug report

Bug description:

CPython versions tested on:

Operating systems tested on:

Linked PRs

allisonkarlitskaya commented Dec 6, 2023 •

edited by bedevere-app bot

Loading