不具有正确权限的uWSGI附庸

Question

我有一个附庸，我希望作为cuckoo用户运行它。附庸创建一个套接字，Nginx可以对其进行读写。目前，只有当uwsgi用户权限应用于套接字/var/run/cuckoo/cuckoo.sock时，从属方才会生成。当数据被发布到Nginx并发送到从属程序以被写入文件系统时，数据是用uwsgi而不是cuckoo用户权限编写的。下面是各自的配置。对于如何使用cuckoo权限正确创建附属物及其相应的套接字，有什么想法吗?这样，通过该过程编写的数据将作为cuckoo用户编写？

7.9.2009

• uwsgi-2.0.18-8.el7.x86_64

• uwsgi-plugin-common-2.0.18-8.el7.x86_64

• uwsgi-plugin-python2-2.0.18-8.el7.x86_64

• CentOS Linux版本

/etc/uwsgi.ini

[uwsgi]
uid = uwsgi
gid = uwsgi
emperor = /etc/uwsgi.d
chmod-socket = 660
emperor-tyrant = true
cap = setgid,setuid

/etc/uwsgi.d/uckoo.ini

[uwsgi]
socket = /var/run/cuckoo/cuckoo.sock
chmod-socket = 766
plugins = python
virtualenv = /opt/cuckoo/cuckoo-virtual-env
module = cuckoo.apps.api
callable = app
uid = cuckoo
gid = cuckoo
env = CUCKOO_APP=api
env = CUCKOO_CWD=/opt/cuckoo/cuckoo-working-dir

套接字权限

$ ls -l /var/run/cuckoo/
total 0
srwxrw-rw-. 1 uwsgi uwsgi 0 Nov  5 13:47 cuckoo.sock
$ ls -l /run/uwsgi/
total 4
srw-rw----. 1 uwsgi uwsgi 0 Nov  5 13:47 stats.sock
-rw-r--r--. 1 uwsgi uwsgi 6 Nov  5 13:47 uwsgi.pid

配置权限

$ ls -l /etc/uwsgi.*
-rw-r--r--. 1 uwsgi uwsgi  117 Nov  5 13:46 /etc/uwsgi.ini

/etc/uwsgi.d:
total 4
-rw-r--r--. 1 uwsgi uwsgi 288 Nov  5 04:22 cuckoo.ini

Answer 1

由于我们不打算托管多个应用程序，所以解决方法是以应用程序用户的身份运行uwsgi，在我们的例子中，cuckoo用户：

/etc/uwsgi.ini

[uwsgi]
uid = cuckoo
gid = cuckoo
emperor = /etc/uwsgi.d
chmod-socket = 660
emperor-tyrant = true
cap = setgid,setuid

并更新了配置权限：

$ ls -l /etc/uwsgi.*
-rw-r--r--. 1 cuckoo cuckoo  118 Nov  5 18:00 /etc/uwsgi.ini

/etc/uwsgi.d:
total 4
-rw-r--r--. 1 cuckoo cuckoo 270 Nov  5 17:54 cuckoo.ini

这使得附庸可以正确地产卵，Nginx可以访问套接字。