[prev in list] [next in list] [prev in thread] [next in thread] 

List:       uwsgi
Subject:    [uWSGI] added posix capabilitites support
From:       roberto () unbit ! it (Roberto De Ioris)
Date:       2011-09-26 16:40:57
Message-ID: 159F993D-79FA-4297-9291-79B4435B4230 () unbit ! it
[Download RAW message or body]


Il giorno 26/set/2011, alle ore 17:29, Leonid Borisenko ha scritto:

> Hi,
> 
> On 25.09.2011 16:38, Roberto De Ioris wrote:
> > http://projects.unbit.it/uwsgi/wiki/Capabilities
> 
> It seems like a feature perfect for running emperor under uid/gid
> other than root (say, uwsgi-emperor) with keeping possibility to
> setuid/setgid vassals.
> 
> Is it valid use?


yes it will

> Will it be more secure than emperor with root uid/gid
> or not?

yes it will be more secure against emperor bugs or daemon spawned by the emperor \
itself (via attach-daemon)

> Which other capabilities (other than setuid/setgid) might be
> required by such the emperor?

you need the 'kill' privilege too (to send signal to instances) but i suppose in the \
near time it will be no more needed as all the command are issued via the emperor \
pipe.

If you plan to limit the resources of each instance you will need the 'sys_resource' \
and the 'sys_chroot'

--
Roberto De Ioris
http://unbit.it
JID: roberto at jabber.unbit.it


[prev in list] [next in list] [prev in thread] [next in thread]