获取 chown()：从 ini 文件运行 uwsgi 时不允许操作

Question

I am trying to run nginx and uwsgi. When I try to run uwsgi with below command in my proj virtual environment with proj user I get an error. When I run uwsgi, I see the proj.sock is created in /run/uwsgi/proj.sock I changed the /run/uwsgi permissions to drwxrwxrwx to see if the problem is permission related. But problem still appears. I also checked the /etc/passwd and there is no uwsgi user.

The directory info for /run/uwsgi is :

drwxrwxrwx   2 root           root             60 Jul 16 10:53 uwsgi

When I try to change ownership of sock file with proj user to proj:nginx in proj virtual nvironment I get the error below.

chown: changing ownership of ‘/run/uwsgi/proj.sock’: Operation not permitted

When I check /run/uwsgi/proj.sock file it is proj:proj but it should be changed to proj:nginx . This operation can be done manually with root. But it cannot be done with proj user.

Run below command:

uwsgi --ini /etc/uwsgi/sites/proj.ini

Error :

[uWSGI] getting INI configuration from /etc/uwsgi/sites/proj.ini<br>
*** Starting uWSGI 2.0.15 (64bit) on [Mon Jul 16 10:53:02 2018] ***<br>
compiled with version: 4.8.5 20150623 (Red Hat 4.8.5-28) on 13 July 2018 17:12:50<br>
os: Linux-3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC 2018<br>
nodename: localhost.localdomain<br>
machine: x86_64<br>
clock source: unix<br>
detected number of CPU cores: 2<br>
current working directory: /home/proj<br>
detected binary path: /home/proj/Env/proj/bin/uwsgi<br>
!!! no internal routing support, rebuild with pcre support !!!<br>
chdir() to /home/proj/work/proj<br>
your processes number limit is 4096<br>
your memory page size is 4096 bytes<br>
detected max file descriptor number: 1024<br>
lock engine: pthread robust mutexes<br>
thunder lock: disabled (you can enable it with --thunder-lock)<br>
chown(): Operation not permitted [core/utils.c line 2623]<br>
VACUUM WARNING: unix socket /run/uwsgi/proj.sock changed inode. Skip removal

My proj.ini file for uwsgi ini configuration is :

[uwsgi]
py-autoreload = 2
project = proj
username = proj
base = /home/%(username)
chdir = %(base)/%(project)
home = %(base)/Env/%(project)
module = %(project).wsgi:application
master = true
processes = %k
uid = %(username)
socket = /run/uwsgi/%(project).sock
chown-socket = %(username):nginx
chmod-socket = 666
vacuum = true
#logto = /var/log/uwsgi/%(project).log

Answer 1

A user can only set the group of a file to a group he is in. In this case your user proj is not in the nginx group, so it is not allowed to make that change. If you add the user to the nginx group (and relogin) then it should work.

Also, setting the directory permissions to 777 allows any user to create and delete files in that directory, and 666 for the socket allows any user to access it. You probably don't want that. More reasonable would be to have /run/uwsgi owned by root:nginx with mode 770 , and chmod-socket = 660 in your project ini.

Answer 2

I solved the problem. The socket files were in /run/uwsgi directory.

I gave the related project user right to write read execute on this folder.

setfacl -m u:projuser:rwx /run/uwsgi/

Answer 3

As suggested by "ivbtar", I just removed following lines from uwsgi.ini file and it started working,

chown-socket = %(username):nginx
chmod-socket = 666