[pkg-uWSGI-devel] Bug#982434: uwsgi-emperor: Permissions on systemd runtime directory

[Vlastimil Zíma]

Package: uwsgi-emperor
Version: 2.0.19.1-5
Severity: normal
X-Debbugs-Cc: vlastimil.zima at gmail.com

Dear Maintainer,

it's great that a systemd service file was introduced as a result of #969372.
But when I tried to use it, I encountered a problem with permissions on
systemd runtime directory. The runtime directory /run/uwsgi is created
by the systemd with owner root:root and standard permission 0755. On the
other hand the emperor runs as www-data:www-data and so its vassals can't
create sockets in the runtime directory.

I managed to fix it by overriding the systemd service with

[Service]
Group=www-data
RuntimeDirectoryMode=0775

added to /etc/systemd/system/uwsgi-emperor.service.d/override.conf
but I'm not sure if this is the best way. This workaround works even for
tyrant mode with all vassals having the group www-data.

I suggest the systemd service file should be modified in way that will
allow vassals to create their sockets in emperor's runtime directory.

Vlastimil

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages uwsgi-emperor depends on:
ii  uwsgi-core  2.0.19.1-5

uwsgi-emperor recommends no packages.

uwsgi-emperor suggests no packages.

-- Configuration Files:
/etc/uwsgi-emperor/emperor.ini changed:
[uwsgi]
master = true
workers = 2
no-orphans = true
log-date = true
uid = www-data
gid = www-data
emperor = /etc/uwsgi-emperor/vassals
emperor-tyrant = true
cap = setgid,setuid


-- no debconf information