[pkg-uWSGI-devel] Bug#934731: uwsgi-emperor: Fails to stop due to too wide pidfile permissions
matthijs
matthijs at stdin.nl
Wed Aug 14 07:12:48 BST 2019
Package: uwsgi-emperor
Version: 2.0.18-1
Severity: normal
Hi,
on my uwsgi-emperor setup, I've noticed that uwsgi-emperor fails to
stop or restart. e.g. when running `systemctl stop uwsgi-emperor`, I get
(in `systemctl status uwsgi-emperor`):
systemd[1]: Stopping LSB: Start/stop uWSGI server instance(s)...
uwsgi-emperor[11470]: start-stop-daemon: matching on world-writable pidfile /run/uwsgi-emperor.pid is insecure
systemd[1]: uwsgi-emperor.service: Succeeded.
However, even though this says "Succeeded", uwsgi-emperor is still
running as before, so I suspect start-stop-daemon has refused to act.
Looking at the pidfile, I see indeed 666 permissions:
-rw-rw-rw- 1 root root 6 aug 14 07:51 /run/uwsgi-emperor.pid
Manually clearing the permissions (`chmod o-rwx /run/uwsgi-emperor.pid`)
before running stopping indeed fixes both the message and makes the
emperor stop properly.
I found a mailing list post which suggests that
this is due to the --daemonize option, which sets the umask to 0:
http://lists.unbit.it/pipermail/uwsgi/2013-April/005803.html
I think this issue has started occurring after upgrading to Buster. I
suspect that maybe start-stop-daemon has become more strict in its
permission check, or maybe the permissions changed on the uwsgi side.
Adding `--umask 022` to the initscript fixed the permissions for my
setup, but I suspect this might actually change all kinds of permissions
for other files too, so this might not be ideal as a general solution.
It seems uwsgi does not currently have any option to set the permissions
of the pidfile, which might be the best solution. Doing a chmod from the
init script seems like a workaround, but AFAICS would leave a race
condition where the pidfile is writable for a short while.
I have only tested this on a configured production system, but I highly
suspect that this is not related to my setup, but also broken in a
default installation. I've included my emperor config below as an
indication.
Gr.
Matthijs
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (990, 'stable'), (800, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages uwsgi-emperor depends on:
ii uwsgi-core 2.0.18-1
uwsgi-emperor recommends no packages.
uwsgi-emperor suggests no packages.
-- Configuration Files:
/etc/uwsgi-emperor/emperor.ini changed:
[uwsgi]
log-date = true
strict = true
set-placeholder = base-dir=/etc/uwsgi-emperor
emperor = glob://%(base-dir)/vassals/*/app-*.ini
emperor = glob://%(base-dir)/vassals/app-*.ini
vassals-include-before = vassal-defaults.ini
hook-as-vassal = callret:chdir %(base-dir)
show-config = 1
-- no debconf information
More information about the pkg-uWSGI-devel
mailing list