permission denied regression reading extracted certs with multiple users

[jmelahman]

If it is necessary to extract the certs from a zip file, they'll be written to somewhere like /tmp/cacert.pem. This is problematic for subsequent users who may not have have permission to access this /tmp/cacert.pem

Seems related to https://github.com/psf/requests/pull/6667

Note, this issue was not present with version 2.31.0

Expected Result

two users should be able to extract zipped certs on the same filesystem without issue

Actual Result

Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/jamison/.../__main__.py", line 83, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/..., line 22, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/..., line 13, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/__init__.py", line 164, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/api.py", line 11, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/sessions.py", line 15, in <module>
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
  File "<frozen zipimport>", line 259, in load_module
  File "/home/jamison/.../pypi__39__requests_2_32_2/requests/adapters.py", line 77, in <module>
PermissionError: [Errno 13] Permission denied

Reproduction Steps

touch /tmp/test_utils.py
chown root:root /tmp/test_utils.py
python -m pytest test/test_utils.py

The full end-to-end steps are a bit involved. A, __main__,py

import requests

as a standalone zip executable is enough to repro (though I haven't been able to repro with executables that unarchive themselves such as zipapp -- in this case, we're using something similar to google's subpar).

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.3.2"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.12.3"
  },
  "platform": {
    "release": "6.6.32-1-lts",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.32.3"
  },
  "system_ssl": {
    "version": "30300000"
  },
  "urllib3": {
    "version": "2.2.2"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}

[jmelahman]

I think this is fundamentally the same issue as https://github.com/psf/requests/issues/5994 which was marked as won't fix.

Happy to contribute a fix if there is a satisfactory solution. In my case, the file permissions less of the issue and more so this file is not guaranteed to be owned by the current user. Possible solutions I see include:

• embed the user metadata into the filename. /tmp/cacert.pem becomes /tmp/jamison_cacert.pem. Not foolproof, but simple and resolves my issue.
• replace this /tmp/cacert.pem with a random temporary file (similar to what certifi would do). I'm not sure how long this file would need to live on disk, but maybe now with preloading the certs, this file can be removed after this initial load.