Open chrismcmacken opened 8 years ago
@chrismcmacken just to be sure have you tried restarting (as in kill) the uwsgi emperor?
@xrmx Yes, I have restarted the entire uwsgi app many times while trying to figure out the problem.
@chrismcmacken any chance you sorted out the issue?
@xrmx Sadly no, I just made the files owned by the uwsgi user.
@chrismcmacken can you share your emperor config please?
[uwsgi]
uid = uwsgi
gid = uwsgi
pidfile = /run/uwsgi/uwsgi.pid
emperor = /etc/uwsgi.d
emperor-tyrant = true
cap = setgid,setuid
processes = 6
threads = 2
daemonize = /var/log/uwsgi/uwsgi.log
die-on-term = true
@chrismcmacken so if you use tyrant mode each vassal should have uid and gids too right? Looking at the code in emperor.c:tuwsgi_emperor_spawn_vassal it looks to me that vassals just don't inherit any other group the users have, they just get the uid / gid you gave them. So possibly you are already doing the right thing by using the super-secure-group gid for the vassals that needs to read that file Actually, you changed the ownership of the file to uwsgi, as written above you may restrict access to a subset of vassals instead of all the vassals.
I am running UWSGI in emperor-tyrant mode, as user
uwsgi
. I also have some sensitive information in an external file that I want uwsgi and some other applications to be able to access. The file permissions are listed below, and the uwsgi user is a member of thesuper-secure-group
group, which gives it access. If I runsudo -u uwsgi cat secure-file.txt
it outputs the file but the uwsgi process cannot open the file even though it's running as the same user. Any idea what's wrong here?