Skip to content

gh-143511: Document sys.remote_exec permissions requirements #143575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Yashp002 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

gh-143511: Document sys.remote_exec permissions requirements #143575

Yashp002 wants to merge 7 commits into from
+19 −3

Conversation

@Yashp002
Copy link
Contributor

@Yashp002 Yashp002 commented Jan 8, 2026
edited by github-actions bot
Loading

sys.remote_exec(pid, script_path) creates a temporary script with restrictive
permissions (typically 0o600). The target process must be able to read this
file, which fails in cross-user scenarios (e.g. sudo debugging).

Added documentation note with example showing how to os.chmod() the file to
0o644 (readable by group/other) before calling.

Addresses the PermissionError reported in #143511.

Co-authored-by: @RafaelWO

📚 Documentation preview 📚: https://cpython-previews--143575.org.readthedocs.build/

@bedevere-app bedevere-app bot added docs Documentation in the Doc dir skip news labels Jan 8, 2026
@bedevere-app bedevere-app bot mentioned this pull request Jan 8, 2026
Open
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Jan 8, 2026
@RafaelWO
Copy link
Contributor

RafaelWO commented Jan 8, 2026
edited
Loading

Wouldn't it make more sense to add this info to the remote debugging docs? 🤔

@Yashp002
Copy link
Contributor Author

Yashp002 commented Jan 8, 2026

@RafaelWO Well i figured sys.rst or sys.executable here is way more used or gone through by users on a daily basis? Sys.rst is more discoverable for users hitting the error.
We could go with keeping it in both too but this one's just more discoverable imo unless I'm heavily mistaken.

@StanFromIreland StanFromIreland changed the title gh-143511: Document sys.remote_exec permissions requirements [skip news] gh-143511: Document sys.remote_exec permissions requirements Jan 9, 2026
StanFromIreland
StanFromIreland reviewed Jan 9, 2026
View reviewed changes
RafaelWO
RafaelWO reviewed Jan 10, 2026
View reviewed changes
picnixz
picnixz reviewed Jan 10, 2026
View reviewed changes
Doc/library/sys.rst Outdated
Comment on lines 2022 to 2033
Callers should adjust permissions before calling, for example::

import os
import tempfile
import sys

with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
f.write("print('Hello from remote!')")
f.flush()
os.chmod(f.name, 0o644) # Readable by group/other
sys.remote_exec(pid, f.name)
os.unlink(f.name) # Cleanup
Copy link
Member

@picnixz picnixz Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be put before the audit event descriptions.

Copy link
Contributor Author

@Yashp002 Yashp002 Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@picnixz Have implemented that yes.

Copy link
Contributor

@RafaelWO RafaelWO Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not before the audit events yet. Speaking in line numbers, your paragraph should be after line 1998 but before 2000.

Image

Copy link
Contributor Author

@Yashp002 Yashp002 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did so
accidentally named the commit the same as last one but yeah, shouldn't be a problem

Copy link
Contributor

@RafaelWO RafaelWO Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are almost there: Please move all your content above the audit-event directives - not just the first paragraph 😉

RafaelWO
RafaelWO reviewed Jan 19, 2026
View reviewed changes
Doc/library/sys.rst Outdated
Comment on lines 1999 to 2000
The temporary script file is created with restrictive permissions (typically
``0o600``). The target process must be able to read this file.
Copy link
Contributor

@RafaelWO RafaelWO Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might be misleading since it sounds like remote_exec creates the script (which it does not).

Example suggestion:

Note that the remote process must be able to read this file in terms of permissions. If the caller is running under a different user than the remote process, the caller should adjust permissions (...)

Copy link
Contributor Author

@Yashp002 Yashp002 Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright yeah, yours is quite better I have to say, cuz what I've inputted may be misleading.

Thanks I'll use yours:)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz left review comments

@StanFromIreland StanFromIreland StanFromIreland left review comments

+1 more reviewer

@RafaelWO RafaelWO RafaelWO left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

awaiting review docs Documentation in the Doc dir skip news

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Yashp002 @RafaelWO @picnixz @StanFromIreland