Setting POSIX Capabilities

POSIX capabilities allow fine-grained permissions for processes. In addition to the standard UNIX permission scheme, they define a new set of privileges for system resources. To enable capabilities support (Linux Only) you have to install the libcap headers (libcap-dev on Debian-based distros) before building uWSGI. As usual your processes will lose practically all of the capabilities after a setuid call. The uWSGI cap option allows you to define a list of capabilities to maintain through the call.

For example, to allow your unprivileged app to bind on privileged ports and set the system clock, you will use the following options.

uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time

All of the processes generated by uWSGI will then inherit this behaviour. If your system supports capabilities not available in the uWSGI list you can simply specify the number of the constant:

uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time,42

In addition to net_bind_service and sys_time, a new capability numbered ‘42’ is added.

Available capabilities

This is the list of available capabilities.

audit_control

CAP_AUDIT_CONTROL

audit_write

CAP_AUDIT_WRITE

chown

CAP_CHOWN

dac_override

CAP_DAC_OVERRIDE

dac_read_search

CAP_DAC_READ_SEARCH

fowner

CAP_FOWNER

fsetid

CAP_FSETID

ipc_lock

CAP_IPC_LOCK

ipc_owner

CAP_IPC_OWNER

kill

CAP_KILL

lease

CAP_LEASE

linux_immutable

CAP_LINUX_IMMUTABLE

mac_admin

CAP_MAC_ADMIN

mac_override

CAP_MAC_OVERRIDE

mknod

CAP_MKNOD

net_admin

CAP_NET_ADMIN

net_bind_service

CAP_NET_BIND_SERVICE

net_broadcast

CAP_NET_BROADCAST

net_raw

CAP_NET_RAW

setfcap

CAP_SETFCAP

setgid

CAP_SETGID

setpcap

CAP_SETPCAP

setuid

CAP_SETUID

sys_admin

CAP_SYS_ADMIN

sys_boot

CAP_SYS_BOOT

sys_chroot

CAP_SYS_CHROOT

sys_module

CAP_SYS_MODULE

sys_nice

CAP_SYS_NICE

sys_pacct

CAP_SYS_PACCT

sys_ptrace

CAP_SYS_PTRACE

sys_rawio

CAP_SYS_RAWIO

sys_resource

CAP_SYS_RESOURCE

sys_time

CAP_SYS_TIME

sys_tty_config

CAP_SYS_TTY_CONFIG

syslog

CAP_SYSLOG

wake_alarm

CAP_WAKE_ALARM