Hi thanks for the answer! My vassal has the option: cap = net_bind_service
I did: setcap cap_net_bind_service=ep /usr/bin/uwsgi and now it's working as expected! My processes are running unprivileged but my mule is now able to bind it socket at the right port even in graceful reloads! Thank you again! Bruno Ribeiro On Wed, Mar 19, 2014 at 1:31 PM, Roberto De Ioris <[email protected]> wrote: > > > Hi everyone, > > > > I'm having trouble with one of my configurations using uwsgi, I have one > > mule that needs to open a port at a reserved range so I set the > > net_bind_service capability, which actually works fine until I have to > > reload the emperor to apply new changes to my app, after the reload my > > mule > > gets a permission denied trying to open it's socket on the specified > port. > > > > If I use restart instead of reload everything works as expected but I do > > not have a graceful reload as intended. > > > > My uwsgi version is 2.0.1 > > > > Any ideas or is it a bug? > > > > Thanks in advance! > > > > Bruno Ribeiro > > _______________________________________________ > > > > I suppose you set the capability in the vassal, right ? > > By the way, as the graceful reload implies calling exec() the capabilities > change in this way: > > http://man7.org/linux/man-pages/man7/capabilities.7.html > > check the chapter: "Transformation of capabilities during execve()" > > basically you need to set filesystem capabilities to the uwsgi binary > (only the one you need). > > If i understand correctly it should be safe even if a malicious user try > to call it to bind to a privileged port as the mask do not applies unless > a root-owned parent process (like the Emperor) permits it > > let me know (so i can improve docs ;) > > -- > Roberto De Ioris > http://unbit.it > _______________________________________________ > uWSGI mailing list > [email protected] > http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi >
_______________________________________________ uWSGI mailing list [email protected] http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
