michael-lazar / pygopherd

Multiprotocol Gopher/Web Server [Python 3]
https://michael-lazar.github.io/pygopherd/doc/pygopherd.html
GNU General Public License v2.0
33 stars 8 forks source link

Permission denied while loading init_ssl_context #14

Open CiQL opened 1 month ago

CiQL commented 1 month ago

Attempting to use my Let's Encrypt certs with pygopherd leads to a permission error despite supposedly running as root at that point.

Running pygopherd from apt, Debian bookworm repos, version 3.0.0~git20221126.02c65d60-3

In the pygopherd config, path to certificates is the default Let's Encrypt path (/etc/letsencrypt/live/<domain>/fullchain.pem), accessible only to the root user (default certbot config). chroot enabled in config with user and group gopher.

Traceback:

Pygopherd starting, using configuration file /etc/pygopherd/pygopherd.conf
mimetypes initialized with files: ['/etc/mime.types']
 Traceback (most recent call last):
   File "/usr/sbin/pygopherd", line 42, in <module>
     s = initialization.initialize(args.config)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/pygopherd/initialization.py", line>
     context = init_ssl_context(config)
               ^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/pygopherd/initialization.py", line>
     context.load_cert_chain(certfile, keyfile)
PermissionError: [Errno 13] Permission denied
CiQL commented 1 month ago

I believe I've discovered that this error only occurs because the default apt package's systemd service does not start as root at all, which is incorrect behavior according to the comments in the config file, but also probably more secure overall.

While changing the systemd file to run as root user and root group and enabling chroot (by uncommenting the setuid and setgid lines as warned by the config file) and the TLS certificate in /etc/pygopherd/pygopherd.conf another error occurred:

Pygopherd starting, using configuration file /etc/pygopherd/pygopherd.conf
mimetypes initialized with files: ['/etc/mime.types']
setpgrp() failed with [Errno 1] Operation not permitted
Chrooted to /var/gopher
Traceback (most recent call last):
  File "/usr/sbin/pygopherd", line 42, in <module>
  File "/usr/lib/python3/dist-packages/pygopherd/initialization.py", line 183, in initialize
  File "/usr/lib/python3/dist-packages/pygopherd/initialization.py", line 114, in init_security
PermissionError: [Errno 1] Operation not permitted

This line is the call to os.setgroups(()). Uncommenting the setuid and setgid lines in the config also made this line fail regardless of how anything else was handled, so I commented those lines back out.

Finally, to get it to work, I copied the Let's Encrypt cert and private key into a folder readable by the gopher user and group, then sudo chown gopher:gopher fullchain.pem; sudo chown gopher:gopher privkey.pem. (I think this is acceptable behavior based on the fact that the XMPP server Prosody has a script that does basically the same thing.) Restarting the service afterwards seems to be working, and I can even connect to my Gopher site via Gemini, although only on gopher port 70.

I'm going to leave this issue open because this seems like incorrect behavior based on my understanding of the comments in the default config file for the install, but this behavior may actually be working as intended.