> Hi everyone, > > I'm having trouble with one of my configurations using uwsgi, I have one > mule that needs to open a port at a reserved range so I set the > net_bind_service capability, which actually works fine until I have to > reload the emperor to apply new changes to my app, after the reload my > mule > gets a permission denied trying to open it's socket on the specified port. > > If I use restart instead of reload everything works as expected but I do > not have a graceful reload as intended. > > My uwsgi version is 2.0.1 > > Any ideas or is it a bug? > > Thanks in advance! > > Bruno Ribeiro > _______________________________________________ >
I suppose you set the capability in the vassal, right ? By the way, as the graceful reload implies calling exec() the capabilities change in this way: http://man7.org/linux/man-pages/man7/capabilities.7.html check the chapter: "Transformation of capabilities during execve()" basically you need to set filesystem capabilities to the uwsgi binary (only the one you need). If i understand correctly it should be safe even if a malicious user try to call it to bind to a privileged port as the mask do not applies unless a root-owned parent process (like the Emperor) permits it let me know (so i can improve docs ;) -- Roberto De Ioris http://unbit.it _______________________________________________ uWSGI mailing list [email protected] http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
