uwsgi unable to open file that the user can access

[chrismcmacken]

I am running UWSGI in emperor-tyrant mode, as user uwsgi. I also have some sensitive information in an external file that I want uwsgi and some other applications to be able to access. The file permissions are listed below, and the uwsgi user is a member of the super-secure-group group, which gives it access. If I run sudo -u uwsgi cat secure-file.txt it outputs the file but the uwsgi process cannot open the file even though it's running as the same user. Any idea what's wrong here?

drwxr-x--- 2 root  super-secure-group 4096 Oct 29 14:28 .
-rw-r----- 1 root  super-secure-group 1675 Oct 29 14:28 secure-file.txt

[xrmx]

@chrismcmacken just to be sure have you tried restarting (as in kill) the uwsgi emperor?

[chrismcmacken]

@xrmx Yes, I have restarted the entire uwsgi app many times while trying to figure out the problem.

[xrmx]

@chrismcmacken any chance you sorted out the issue?

[chrismcmacken]

@xrmx Sadly no, I just made the files owned by the uwsgi user.

[xrmx]

@chrismcmacken can you share your emperor config please?

[chrismcmacken]

[uwsgi]
uid = uwsgi
gid = uwsgi
pidfile = /run/uwsgi/uwsgi.pid
emperor = /etc/uwsgi.d
emperor-tyrant = true
cap = setgid,setuid
processes = 6
threads = 2
daemonize = /var/log/uwsgi/uwsgi.log
die-on-term = true

[xrmx]

@chrismcmacken so if you use tyrant mode each vassal should have uid and gids too right? Looking at the code in emperor.c:tuwsgi_emperor_spawn_vassal it looks to me that vassals just don't inherit any other group the users have, they just get the uid / gid you gave them. So possibly you are already doing the right thing by using the super-secure-group gid for the vassals that needs to read that file Actually, you changed the ownership of the file to uwsgi, as written above you may restrict access to a subset of vassals instead of all the vassals.