UWSGI root vs limited user.

[Michael Messmer]

Environment

nginx & uwsgi

Rhel7

web2py: Version 2.14.6-stable+timestamp.2016.05.09.19.18.48

(Running on Unknown, Python 2.7.5)

---

uwsgi.ini file

---

[uwsgi]

master = true

processes = 4

max-requests = 50

enable-threads = true

chdir  = /opt/www-data/web2py

module = wsgihandler:application

plugin = python

logto  = /var/log/nginx/uwsgi.log

#gid = uwsgi

#uid = uwsgi 

socket = /run/uwsgi/web2py.sock

chown-socket = uwsgi:nginx

chmod-socket = 666

vacuum = true

---

running as root user & working

---

*** Starting uWSGI 2.0.12 (64bit) on [Mon Jul 18 16:38:43 2016] ***

compiled with version: 4.8.5 20150623 (Red Hat 4.8.5-4) on 02 January 2016 19:52:54

os: Linux-3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 9 10:09:10 EDT 2016

nodename: n01

machine: x86_64

clock source: unix

pcre jit disabled

detected number of CPU cores: 8

current working directory: /

detected binary path: /usr/sbin/uwsgi

chdir() to /opt/www-data/web2py

your processes number limit is 63467

your memory page size is 4096 bytes

detected max file descriptor number: 1024

lock engine: pthread robust mutexes

thunder lock: disabled (you can enable it with --thunder-lock)

uwsgi socket 0 bound to UNIX address /run/uwsgi/web2py.sock fd 4

uWSGI running as root, you can use --uid/--gid/--chroot options

*** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** 

Python version: 2.7.5 (default, Oct 11 2015, 17:47:16)  [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)]

Python main interpreter initialized at 0xaa8ec0

python threads support enabled

your server socket listen backlog is limited to 100 connections

your mercy for graceful operations on workers is 60 seconds

mapped 363840 bytes (355 KB) for 4 cores

*** Operational MODE: preforking ***

WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter 0xaa8ec0 pid: 7140 (default app)

*** uWSGI is running in multiple interpreter mode ***

spawned uWSGI master process (pid: 7140)

spawned uWSGI worker 1 (pid: 7154, cores: 1)

spawned uWSGI worker 2 (pid: 7155, cores: 1)

spawned uWSGI worker 3 (pid: 7156, cores: 1)

spawned uWSGI worker 4 (pid: 7157, cores: 1)

----

running as uwsgi user & not working

----

*** Starting uWSGI 2.0.12 (64bit) on [Mon Jul 18 16:31:51 2016] ***

compiled with version: 4.8.5 20150623 (Red Hat 4.8.5-4) on 02 January 2016 19:52:54

os: Linux-3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 9 10:09:10 EDT 2016

nodename: n01

machine: x86_64

clock source: unix

pcre jit disabled

detected number of CPU cores: 8

current working directory: /

detected binary path: /usr/sbin/uwsgi

chdir() to /opt/www-data/web2py

your processes number limit is 63467

your memory page size is 4096 bytes

detected max file descriptor number: 1024

lock engine: pthread robust mutexes

thunder lock: disabled (you can enable it with --thunder-lock)

uwsgi socket 0 bound to UNIX address /run/uwsgi/web2py.sock fd 4

setgid() to 168

set additional group 169 (nginx)

setuid() to 168

Python version: 2.7.5 (default, Oct 11 2015, 17:47:16)  [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)]

Python main interpreter initialized at 0x1692ef0

python threads support enabled

your server socket listen backlog is limited to 100 connections

your mercy for graceful operations on workers is 60 seconds

mapped 363840 bytes (355 KB) for 4 cores

*** Operational MODE: preforking ***

Traceback (most recent call last):

  File "./wsgihandler.py", line 37, in <module>

    import gluon.main

  File "/opt/www-data/web2py/gluon/main.py", line 112, in <module>

    raise RuntimeError("Cannot determine web2py version")

RuntimeError: Cannot determine web2py version

unable to load app 0 (mountpoint='') (callable not found or import error)

*** no app loaded. going in full dynamic mode ***

*** uWSGI is running in multiple interpreter mode ***

spawned uWSGI master process (pid: 7046)

spawned uWSGI worker 1 (pid: 7058, cores: 1)

spawned uWSGI worker 2 (pid: 7059, cores: 1)

spawned uWSGI worker 3 (pid: 7060, cores: 1)

spawned uWSGI worker 4 (pid: 7061, cores: 1)

I chown'ed  all /opt/www-data/web2py to uwsgi:uwsgi

Still no dice.  Suggestions on what im doing wrong and why im getting:

------------------

 File "/opt/www-data/web2py/gluon/main.py", line 112, in <module>

    raise RuntimeError("Cannot determine web2py version")

------------------

When the uid for uwsgi.ini file is set to uwsgi instead of commented out and running as root?

[Michael M]

Figured it out:

Niphlod you may be proud.  I ran strace in the service:

[Unit]

Description=uWSGI Emperor Service

After=syslog.target

[Service]

EnvironmentFile=-/etc/sysconfig/uwsgi

ExecStartPre=/bin/mkdir -p /run/uwsgi

ExecStartPre=/bin/chown uwsgi:uwsgi /run/uwsgi

ExecStart=/bin/strace -o /tmp/uwsgi.service /usr/sbin/uwsgi --ini /etc/uwsgi.ini

ExecReload=/bin/kill -HUP $MAINPID

KillSignal=SIGINT

Restart=always

Type=notify

StandardError=syslog

NotifyAccess=all

[Install]

WantedBy=multi-user.target

-------------------------------------------

Which exposed this as i trolled through tons to find some keywords pop out at:

cat /tmp/uwsgi.service |wc -l

15031

cat /tmp/uwsgi.service |grep "Permission denied"

openat(AT_FDCWD, "/opt/www-data/web2py/site-packages", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)

openat(AT_FDCWD, "/opt/www-data/web2py/gluon", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)

open("/opt/www-data/web2py/VERSION", O_RDONLY) = -1 EACCES (Permission denied)

so i: 

chmod u+r /opt/www-data/web2py/VERSION

chmod u+r /opt/www-data/web2py/site-packages

chmod u+r /opt/www-data/web2py/gluon

restarted ( systemctl restart uwsgi.service ) uwsgi

Loaded perfectly.

Web2py now running as limited user "uwsgi" and not root!!!!!!!    WOOHOO

EDIT: typo'ed your name Niphlod forgot the h, sorry.

[Niphlod]

me, proud? of ?

On Wednesday, July 20, 2016 at 8:02:55 AM UTC+2, Michael M wrote:

Figured it out:

Niplod you may be proud.  I ran strace in the service:

[Michael Messmer]

I figured out my own problem.  ;)  Another admin didn't have to save me.  And i learned a new (to me) tool 'strace' to help myself.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/HMoPlWsY6Rk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Niphlod]

ah, ok!!! me, I'm proud of myself very little these days....

but, and it's a big but....I'm totally proud of you!

To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Michael Messmer]

Sorry for the confusion.  And thanks!