nixos/uwsgi: run with capabilities instead of root #106082
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 tasks
ofborg
bot
added
10.rebuild-darwin: 1-10
10.rebuild-darwin: 1
10.rebuild-linux: 1-10
labels
aanderse
reviewed
Dec 8, 2020
Mic92
reviewed
Dec 13, 2020
Mic92
changed the title
Mic92
changed the title
Mic92
approved these changes
Dec 13, 2020
|
Fixed conflict with PR #107403 and rebased. |
|
To exercise this change, I migrated the ihatemoney module to use it: it works but I had to move from Full diff diff --git a/nixos/modules/services/web-apps/ihatemoney/default.nix b/nixos/modules/services/web-apps/ihatemoney/default.nix
index 68769ac8c03..81647d352e7 100644
--- a/nixos/modules/services/web-apps/ihatemoney/default.nix
+++ b/nixos/modules/services/web-apps/ihatemoney/default.nix
@@ -44,7 +44,7 @@ let
in
{
options.services.ihatemoney = {
- enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode running as root";
+ enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode";
backend = mkOption {
type = types.enum [ "sqlite" "postgresql" ];
default = "sqlite";
@@ -116,16 +116,13 @@ in
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
- # the vassal needs to be able to setuid
- user = "root";
- group = "root";
instance = {
type = "emperor";
vassals.ihatemoney = {
type = "normal";
strict = true;
- uid = user;
- gid = group;
+ immediate-uid = user;
+ immediate-gid = group;
# apparently flask uses threads: https://github.com/spiral-project/ihatemoney/commit/c7815e48781b6d3a457eaff1808d179402558f8c
enable-threads = true;
module = "wsgi:application";Feel free to include this in the PR, otherwise I'll do a PR myself later) |
|
Thank you, that should be indeed mentioned in the release notes. I'll also include your patch. |
|
@symphorien patch included and manual updated. Thank you, again. |
|
@GrahamcOfBorg test uwsgi ihatemoney |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
Being able to run uwsgi as emperor without root.
Things done
nixosTests.uwsginixosTests.ihatemoneyuwsgi,config.system.build.manual.manualHTML)nix path-info -Sbefore and after)