Read TLS key before dropping privileges #1404

Open
cochiseruhulessin opened this Issue Dec 3, 2016 · 3 comments

Projects

None yet

3 participants

@cochiseruhulessin

I want to secure my traffic using TLS; however gunicorn requires me to give the unprivileged worker processes read access to the TLS server key.

@benoitc
Owner
benoitc commented Dec 6, 2016

@cochiseruhulessin ? Only the user launching gunicorn normally need it. How can I reproduce it?

@tilgovi
Collaborator
tilgovi commented Dec 20, 2016

@benoitc take a keyfile, like the one in examples, and remove read permissions to others (chmod o-r server.key) then start gunicorn like so:

sudo /path/to/gunicorn --certfile server.crt --keyfile server.key --user nobody --group nogroup echo:app

Trying to make a request will cause gunicorn to error with:

Traceback (most recent call last):
  File "/home/tilgovi/src/gunicorn/gunicorn/workers/sync.py", line 131, in handle
    **self.cfg.ssl_options)
  File "/usr/lib/python2.7/ssl.py", line 933, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 544, in __init__
    self._context.load_cert_chain(certfile, keyfile)
IOError: [Errno 13] Permission denied
@tilgovi
Collaborator
tilgovi commented Dec 23, 2016

Unfortunately, I think we cannot fix this until we drop python 2.6 support. In python 2.6, from what I read in the source, the certfile and keyfile are not accessed until a connection is accepted. Python 2.7 added SSLContext, which can read and hold the certfile and keyfile when the socket is wrapped with ssl.wrap_socket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment