uWSGI vassal 没有产生正确的权限

uWSGI vassal not spawning with correct permissions

我有一个 vassal,我希望 运行 作为 cuckoo 用户。 vassal 创建一个 Nginx 可以读写的套接字。目前,vassal 只会在 uwsgi 用户权限应用于套接字 /var/run/cuckoo/cuckoo.sock 时生成。当数据发布到 Nginx 并发送到 vassal 以写入文件系统时出现的问题,数据是使用 uwsgi 而不是 cuckoo 用户权限写入的。下面是各自的配置。关于如何正确创建具有 cuckoo 权限的 vassal 及其相应套接字的任何想法,以便通过该过程写入的数据将作为 cuckoo 用户写入?

/etc/uwsgi.ini

[uwsgi]
uid = uwsgi
gid = uwsgi
emperor = /etc/uwsgi.d
chmod-socket = 660
emperor-tyrant = true
cap = setgid,setuid

/etc/uwsgi.d/cuckoo.ini

[uwsgi]
socket = /var/run/cuckoo/cuckoo.sock
chmod-socket = 766
plugins = python
virtualenv = /opt/cuckoo/cuckoo-virtual-env
module = cuckoo.apps.api
callable = app
uid = cuckoo
gid = cuckoo
env = CUCKOO_APP=api
env = CUCKOO_CWD=/opt/cuckoo/cuckoo-working-dir

套接字权限

$ ls -l /var/run/cuckoo/
total 0
srwxrw-rw-. 1 uwsgi uwsgi 0 Nov  5 13:47 cuckoo.sock
$ ls -l /run/uwsgi/
total 4
srw-rw----. 1 uwsgi uwsgi 0 Nov  5 13:47 stats.sock
-rw-r--r--. 1 uwsgi uwsgi 6 Nov  5 13:47 uwsgi.pid

配置权限

$ ls -l /etc/uwsgi.*
-rw-r--r--. 1 uwsgi uwsgi  117 Nov  5 13:46 /etc/uwsgi.ini

/etc/uwsgi.d:
total 4
-rw-r--r--. 1 uwsgi uwsgi 288 Nov  5 04:22 cuckoo.ini

由于我们不尝试托管多个应用程序,解决方法是 运行 uwsgi 作为应用程序用户,在我们的例子中,cuckoo 用户:

/etc/uwsgi.ini

[uwsgi]
uid = cuckoo
gid = cuckoo
emperor = /etc/uwsgi.d
chmod-socket = 660
emperor-tyrant = true
cap = setgid,setuid

并更新了配置权限:

$ ls -l /etc/uwsgi.*
-rw-r--r--. 1 cuckoo cuckoo  118 Nov  5 18:00 /etc/uwsgi.ini

/etc/uwsgi.d:
total 4
-rw-r--r--. 1 cuckoo cuckoo 270 Nov  5 17:54 cuckoo.ini

这允许 vassal 正确生成并且 Nginx 可以访问套接字。