POSIX capabilities allow fine-grained permissions for processes. In addition
to the standard UNIX permission scheme, they define a new set of privileges for
system resources. To enable capabilities support (Linux Only) you have to
install the libcap
headers (libcap-dev
on Debian-based distros) before
building uWSGI. As usual your processes will lose practically all of the
capabilities after a setuid
call. The uWSGI cap
option allows you to
define a list of capabilities to maintain through the call.
For example, to allow your unprivileged app to bind on privileged ports and set the system clock, you will use the following options.
uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time
All of the processes generated by uWSGI will then inherit this behaviour. If your system supports capabilities not available in the uWSGI list you can simply specify the number of the constant:
uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time,42
In addition to net_bind_service
and sys_time
, a new capability numbered '42' is added.
This is the list of available capabilities.
audit_control | CAP_AUDIT_CONTROL |
audit_write | CAP_AUDIT_WRITE |
chown | CAP_CHOWN |
dac_override | CAP_DAC_OVERRIDE |
dac_read_search | CAP_DAC_READ_SEARCH |
fowner | CAP_FOWNER |
fsetid | CAP_FSETID |
ipc_lock | CAP_IPC_LOCK |
ipc_owner | CAP_IPC_OWNER |
kill | CAP_KILL |
lease | CAP_LEASE |
linux_immutable | CAP_LINUX_IMMUTABLE |
mac_admin | CAP_MAC_ADMIN |
mac_override | CAP_MAC_OVERRIDE |
mknod | CAP_MKNOD |
net_admin | CAP_NET_ADMIN |
net_bind_service | CAP_NET_BIND_SERVICE |
net_broadcast | CAP_NET_BROADCAST |
net_raw | CAP_NET_RAW |
setfcap | CAP_SETFCAP |
setgid | CAP_SETGID |
setpcap | CAP_SETPCAP |
setuid | CAP_SETUID |
sys_admin | CAP_SYS_ADMIN |
sys_boot | CAP_SYS_BOOT |
sys_chroot | CAP_SYS_CHROOT |
sys_module | CAP_SYS_MODULE |
sys_nice | CAP_SYS_NICE |
sys_pacct | CAP_SYS_PACCT |
sys_ptrace | CAP_SYS_PTRACE |
sys_rawio | CAP_SYS_RAWIO |
sys_resource | CAP_SYS_RESOURCE |
sys_time | CAP_SYS_TIME |
sys_tty_config | CAP_SYS_TTY_CONFIG |
syslog | CAP_SYSLOG |
wake_alarm | CAP_WAKE_ALARM |