POSIX capabilities allow fine-grained permissions for processes. In addition to the standard UNIX permission scheme, they define a new set of privileges on system resources.
To enable capabilities support (currently only Linux is supported) you have to install the libcap headers (libcap-dev on Debian-based distros) before building uWSGI.
By default (this is the standard UNIX way), your processes will lose practically all of the capabilities after setuid. The uWSGI cap option allows you to define a list of capabilities to maintain.
So, if you want to allow your unprivileged app to bind on unprivileged ports (TCP ports < 1024) and to set the system clock, you will use
uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_timeAll of the processes generated by uWSGI will then inherit this behaviour.
If your system supports capabailities not available in uWSGI list you can simply specify the number of the constant:
uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time,42In addition to net_bind_service and sys_time, a new capability numbered '42' is added.
This is the list of available capabilities.
| audit_control | CAP_AUDIT_CONTROL |
| audit_write | CAP_AUDIT_WRITE |
| chown | CAP_CHOWN |
| dac_override | CAP_DAC_OVERRIDE |
| dac_read_search | CAP_DAC_READ_SEARCH |
| fowner | CAP_FOWNER |
| fsetid | CAP_FSETID |
| ipc_lock | CAP_IPC_LOCK |
| ipc_owner | CAP_IPC_OWNER |
| kill | CAP_KILL |
| lease | CAP_LEASE |
| linux_immutable | CAP_LINUX_IMMUTABLE |
| mac_admin | CAP_MAC_ADMIN |
| mac_override | CAP_MAC_OVERRIDE |
| mknod | CAP_MKNOD |
| net_admin | CAP_NET_ADMIN |
| net_bind_service | CAP_NET_BIND_SERVICE |
| net_broadcast | CAP_NET_BROADCAST |
| net_raw | CAP_NET_RAW |
| setfcap | CAP_SETFCAP |
| setgid | CAP_SETGID |
| setpcap | CAP_SETPCAP |
| setuid | CAP_SETUID |
| sys_admin | CAP_SYS_ADMIN |
| sys_boot | CAP_SYS_BOOT |
| sys_chroot | CAP_SYS_CHROOT |
| sys_module | CAP_SYS_MODULE |
| sys_nice | CAP_SYS_NICE |
| sys_pacct | CAP_SYS_PACCT |
| sys_ptrace | CAP_SYS_PTRACE |
| sys_rawio | CAP_SYS_RAWIO |
| sys_resource | CAP_SYS_RESOURCE |
| sys_time | CAP_SYS_TIME |
| sys_tty_config | CAP_SYS_TTY_CONFIG |
| syslog | CAP_SYSLOG |
| wake_alarm | CAP_WAKE_ALARM |