Path: csiph.com!eternal-september.org!feeder.eternal-september.org!border1.nntp.ams1.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!nzpost1.xs4all.net!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'root': 0.04; 'python3': 0.05; 'tries': 0.05; 'exit': 0.07; 'permissions': 0.07; 'root,': 0.07; 'socket': 0.07; 'cc:addr:python-list': 0.09; 'absent': 0.09; 'module)': 0.09; 'sockets': 0.09; 'subject:skip:m 10': 0.09; 'yeah,': 0.09; 'python': 0.10; '"this': 0.13; "b'')": 0.16; 'daemons': 0.16; 'describing': 0.16; 'err,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'only",': 0.16; 's.accept()': 0.16; 'simulate': 0.16; 'sudo': 0.16; 'wrote:': 0.16; 'frameworks': 0.18; '>>>': 0.20; 'windows': 0.20; '2015': 0.20; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'permission': 0.20; 'skip:" 30': 0.20; 'fairly': 0.22; '"",': 0.22; 'denied': 0.22; 'permitted': 0.22; 'sep': 0.22; 'am,': 0.23; 'bit': 0.23; '(or': 0.23; '(you': 0.23; "python's": 0.23; 'sat,': 0.23; "haven't": 0.24; 'import': 0.24; '(most': 0.24; 'unix': 0.24; 'header:In-Reply-To:1': 0.24; 'sort': 0.25; 'linux': 0.26; 'chris': 0.26; 'supported': 0.27; 'fri,': 0.27; 'message- id:@mail.gmail.com': 0.27; 'restrict': 0.27; 'said,': 0.27; 'skip:( 20': 0.28; 'looks': 0.29; 'mind,': 0.29; 'socket,': 0.29; 'starts': 0.29; 'there.': 0.30; "i'm": 0.30; '(including': 0.30; 'skip:g 30': 0.30; 'another': 0.32; "can't": 0.32; 'up.': 0.32; 'related': 0.32; 'good.': 0.32; 'though,': 0.32; 'problem': 0.33; 'common': 0.33; 'traceback': 0.33; 'windows.': 0.33; 'file': 0.34; 'running': 0.34; 'server': 0.34; 'received:google.com': 0.35; 'done': 0.35; 'sometimes': 0.35; 'but': 0.36; 'instead': 0.36; '(and': 0.36; 'subject:: ': 0.37; 'really': 0.37; 'say': 0.37; 'sure': 0.39; 'does': 0.39; 'subject:-': 0.39; 'where': 0.40; 'some': 0.40; 'protection': 0.60; 'chance': 0.60; 'your': 0.60; 'here.': 0.62; 'skip:n 10': 0.62; '(that': 0.63; 'more': 0.63; 'mar': 0.65; 'here': 0.66; 'course.': 0.67; 'talking': 0.67; 'user,': 0.67; 'direct': 0.68; 'chrisa': 0.84; 'flexible,': 0.84; 'lacks': 0.84; 'proves': 0.84; 'subject:down': 0.84; 'to:none': 0.91; 'notion': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=428xZDVMxZKKuCFW6P1QjXWAB6I42JUUszvNHshuEiY=; b=JOiaerLMBqxOaQKNvAzrPla3mmPhvWqypS8bpKGURslnisNMbJFQbRDQ0n+61Ab6WQ SqDrEELCGDW+eDabQqJNjmvzjARqIyyN2LVj/o90JgHKOAiGCJDHTl7tF/lAVHMOLhuZ Xqnlt/HZn9FOntnbHVmTp6sV22gIl/zUZUSnwc/shUeZFDRQnlFxUd/qfXka8SqtgZlL ITYnRHJGCWG4R7+lO8H7KP+ZMy8X6tkWIk9xtaRzFPHf9yJ0C+tE50vfj8xWOVTN3s6P wE7aFsvMd3wPYTBDhO2MkTww3LmyJKpSR49kftb2t8oGUg9HsYko9tuxLB6OZkCsuRu5 qZ8g==
MIME-Version: 1.0
X-Received: by 10.107.33.81 with SMTP id h78mr15701740ioh.19.1442614153014; Fri, 18 Sep 2015 15:09:13 -0700 (PDT)
In-Reply-To: <1442612909.2539807.387692137.0E9C2446@webmail.messagingengine.com>
References: <mthgrk$uh1$1@dont-email.me> <CAPTjJmqw26YfJs12q6C_a_JYhQks6RmLhL=0A7OCy5jcGpaBug@mail.gmail.com> <1442612909.2539807.387692137.0E9C2446@webmail.messagingengine.com>
Date: Sat, 19 Sep 2015 08:09:12 +1000
Subject: Re: Shutting down a cross-platform multithreaded app
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.11.1442614161.21674.python-list@python.org>
Lines: 89
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1442614161 news.xs4all.nl 23839 [2001:888:2000:d::a6]:51807
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:96841

On Sat, Sep 19, 2015 at 7:48 AM, Random832 <random832@fastmail.com> wrote:
> On Fri, Sep 18, 2015, at 17:40, Chris Angelico wrote:
>> Bear in mind, though, that Windows has no protection against other
>> processes shutting you down.
>
> Neither does Unix. Any process that can send you a signal can send you
> SIGKILL.

Incorrect. If your server is running as root, only root can kill it:

rosuav@sikorsky:~$ kill -9 17080
bash: kill: (17080) - Operation not permitted

If it's running as some other user, then that user can kill it (that
includes the simple case where a non-root user starts a process and
also tries to kill it), as can root, of course. So you have protection
against direct signals (and not just 9/KILL, naturally); and you also
have protection against an AF_UNIX socket, which is what I was talking
about here. The control over sockets is a bit more flexible, as I'm
fairly sure group permissions can't be set for process signals, but
they can for named sockets:

rosuav@sikorsky:~$ python3
Python 3.6.0a0 (default:30bc256f2346, Sep 17 2015, 02:01:45)
[GCC 4.9.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
>>> s.bind("/tmp/demo_socket")
>>> import os
>>> os.chmod("/tmp/demo_socket",0o750)
>>> s.listen(1)
>>> s.accept()
# program pauses here
(<socket.socket fd=4, family=AddressFamily.AF_UNIX,
type=SocketKind.SOCK_STREAM, proto=0, laddr=/tmp/demo_socket>, b'')

In another terminal, using Python 2 for variety:

rosuav@sikorsky:~$ sudo sudo -u tfr python
Python 2.7.9 (default, Mar  1 2015, 12:57:24)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> s = socket.socket(socket.AF_UNIX)
>>> s.connect("/tmp/demo_socket")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied

Err, nope! What if I don't change users?

rosuav@sikorsky:~$ python
Python 2.7.9 (default, Mar  1 2015, 12:57:24)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> s = socket.socket(socket.AF_UNIX)
>>> s.connect("/tmp/demo_socket")
>>>

Looks good. (Feel free to concoct your own scenario that proves that
group permissions work here; I don't have any handy demo cases.)

Unix is designed for this exact sort of thing. Windows isn't, and
privilege escalation attacks are far more common there.

> Of course, what Windows lacks is a generalized way for other processes
> to send "less destructive" signals that do give you a chance to clean
> up. (You can sometimes send a ctrl-break event, but that's it.) And most
> frameworks for "emulating" them (including python's os module) simulate
> sending other signals by calling TerminateProcess with an exit status
> related to the signal.

Yeah, the whole notion of less-destructive (or even completely
non-destructive - look at how a lot of daemons use SIGHUP) signals is
absent on Windows. But that's not really the problem here; the problem
is that there's no way to say "this is a socket for my process ONLY",
which in Unix would be done with a socket.socketpair, but on Windows I
think has to be simulated.

That said, though.... socket.socketpair() IS supported on Windows...
as of Python 3.5. I haven't tested it to see what it's like. If you
can restrict your support to 3.5+, you might be able to do this
instead of what I was describing above.

ChrisA