Setting POSIX Capabilities

POSIX capabilities allow fine-grained permissions for processes. In additionto the standard UNIX permission scheme, they define a new set of privileges forsystem resources. To enable capabilities support (Linux Only) you have toinstall the libcap headers (libcap-dev on Debian-based distros) beforebuilding uWSGI. As usual your processes will lose practically all of thecapabilities after a setuid call. The uWSGI cap option allows you todefine a list of capabilities to maintain through the call.

For example, to allow your unprivileged app to bind on privileged ports and setthe system clock, you will use the following options.

  1. uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time

All of the processes generated by uWSGI will then inherit this behaviour. Ifyour system supports capabilities not available in the uWSGI list you cansimply specify the number of the constant:

  1. uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time,42

In addition to net_bind_service and sys_time, a new capability numbered ‘42’ is added.

Available capabilities

This is the list of available capabilities.

audit_controlCAP_AUDIT_CONTROL
audit_writeCAP_AUDIT_WRITE
chownCAP_CHOWN
dac_overrideCAP_DAC_OVERRIDE
dac_read_searchCAP_DAC_READ_SEARCH
fownerCAP_FOWNER
fsetidCAP_FSETID
ipc_lockCAP_IPC_LOCK
ipc_ownerCAP_IPC_OWNER
killCAP_KILL
leaseCAP_LEASE
linux_immutableCAP_LINUX_IMMUTABLE
mac_adminCAP_MAC_ADMIN
mac_overrideCAP_MAC_OVERRIDE
mknodCAP_MKNOD
net_adminCAP_NET_ADMIN
net_bind_serviceCAP_NET_BIND_SERVICE
net_broadcastCAP_NET_BROADCAST
net_rawCAP_NET_RAW
setfcapCAP_SETFCAP
setgidCAP_SETGID
setpcapCAP_SETPCAP
setuidCAP_SETUID
sys_adminCAP_SYS_ADMIN
sys_bootCAP_SYS_BOOT
sys_chrootCAP_SYS_CHROOT
sys_moduleCAP_SYS_MODULE
sys_niceCAP_SYS_NICE
sys_pacctCAP_SYS_PACCT
sys_ptraceCAP_SYS_PTRACE
sys_rawioCAP_SYS_RAWIO
sys_resourceCAP_SYS_RESOURCE
sys_timeCAP_SYS_TIME
sys_tty_configCAP_SYS_TTY_CONFIG
syslogCAP_SYSLOG
wake_alarmCAP_WAKE_ALARM