Skip to content

SubprocessTransport .close() can fail with PermissionError with setuid programs #112800

New issue
New issue
Closed
#112803
Closed
SubprocessTransport .close() can fail with PermissionError with setuid programs#112800
#112803
Labels
topic-asynciotype-bugAn unexpected behavior, bug, or error
@allisonkarlitskaya

Description

@allisonkarlitskaya
allisonkarlitskaya
opened on Dec 6, 2023

Bug report

Bug description:

Python 3.12.0 (main, Oct  2 2023, 00:00:00) [GCC 13.2.1 20230918 (Red Hat 13.2.1-3)] on linux

aka python3-3.12.0-1.fc39.x86_64.

Run this code on your Linux system with pkexec setup. That should work on any normalish GNOME system, I'd guess. I'm using Fedora 39.

import asyncio


class MyProtocol(asyncio.SubprocessProtocol):
    pass


async def run():
    loop = asyncio.get_running_loop()
    transport, protocol = await loop.subprocess_exec(MyProtocol, 'pkexec', 'cat')
    await asyncio.sleep(10)
    transport.close()


asyncio.run(run())

You should get a popup to enter your admin password. Do that within 10 seconds. Then cat (which now has the same PID as we spawned pkexec with) will be running as root.

transport.close() attempts to kill() that PID, which fails:

Traceback (most recent call last):
  File "/var/home/lis/src/cockpit/ferny-transport/break.py", line 15, in <module>
    asyncio.run(run())
  File "/usr/lib64/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/asyncio/base_events.py", line 664, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/var/home/lis/src/cockpit/ferny-transport/break.py", line 12, in run
    transport.close()
  File "/usr/lib64/python3.12/asyncio/base_subprocess.py", line 117, in close
    self._proc.kill()
  File "/usr/lib64/python3.12/subprocess.py", line 2209, in kill
    self.send_signal(signal.SIGKILL)
  File "/usr/lib64/python3.12/subprocess.py", line 2196, in send_signal
    os.kill(self.pid, sig)
PermissionError: [Errno 1] Operation not permitted

Probably the call to self._proc.kill() in .close() should be guarded to ignore PermissionError. It already ignores ProcessLookupError:

            try:
                self._proc.kill()
            except ProcessLookupError:
                pass

There are many other setuid utilities that this doesn't seem to be a problem with. The shadow-utils tools like passwd seem to remain killable, as does sudo (which keeps a process running around and forks off to spawn the desired command as root). In fact, pkexec was the only tool I could find that causes this issue, but as viewed from the Python side, we clearly cannot necessarily rely on being able to .kill() a PID that we created.

Thanks!

CPython versions tested on:

3.12, 3.13

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    topic-asynciotype-bugAn unexpected behavior, bug, or error

    Projects

    asyncio

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions