[prev in list] [next in list] [prev in thread] [next in thread]
List: uwsgi
Subject: [uWSGI] added posix capabilitites support
From: roberto () unbit ! it (Roberto De Ioris)
Date: 2011-09-26 16:40:57
Message-ID: 159F993D-79FA-4297-9291-79B4435B4230 () unbit ! it
[Download RAW message or body]
Il giorno 26/set/2011, alle ore 17:29, Leonid Borisenko ha scritto:
> Hi,
>
> On 25.09.2011 16:38, Roberto De Ioris wrote:
> > http://projects.unbit.it/uwsgi/wiki/Capabilities
>
> It seems like a feature perfect for running emperor under uid/gid
> other than root (say, uwsgi-emperor) with keeping possibility to
> setuid/setgid vassals.
>
> Is it valid use?
yes it will
> Will it be more secure than emperor with root uid/gid
> or not?
yes it will be more secure against emperor bugs or daemon spawned by the emperor \
itself (via attach-daemon)
> Which other capabilities (other than setuid/setgid) might be
> required by such the emperor?
you need the 'kill' privilege too (to send signal to instances) but i suppose in the \
near time it will be no more needed as all the command are issued via the emperor \
pipe.
If you plan to limit the resources of each instance you will need the 'sys_resource' \
and the 'sys_chroot'
--
Roberto De Ioris
http://unbit.it
JID: roberto at jabber.unbit.it
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic