uWSGI is ignoring uid, gid and chown-socket

010110110101 asked:

I’m trying to use uWSGI with nginx. The root problem I am having is that I’m getting “No such file or directory” from nginx trying to connect to the uWSGI socket file.

When I use the following settings, I am expecting the socket file’s permissions to change. However, they aren’t. It continues to show uwsgi:uwsgi.

The error from nginx is *17 connect() to unix:/tmp/myapp.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.1.122, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/tmp/myapp.sock:", host: "192.168.1.123:81"

myapp.ini (uwsgi)

[uwsgi]
chdir = /var/local/myapp
plugins = python
module = wsgi:app
home = /var/local/virtualenv/myapp
file = main.py
daemonize = /var/log/uwsgi/myapp.log
pidfile = /var/run/uwsgi/myapp.pid
socket = /tmp/%n.sock

chmod-socket = 777
chown-socket = webuser:nginx
uid = webuser
gid = nginx

vacuum = true

file permissions

srwxrwxrwx.  1 uwsgi uwsgi    0 Jul  3 12:43 myapp.sock

myapp.conf (nginx)

server {
    listen 81;

    access_log /var/log/nginx/myapp_access.log;
    error_log /var/log/nginx/myapp_error.log;

    location / {
        try_files $uri @yourapplication;
    }

    location @yourapplication {
        include uwsgi_params;
        uwsgi_pass unix:/tmp/myapp.sock;
    }
}

I also tried this:

usermod -a -G nginx uwsgi
usermod -a -G uwsgi nginx
useradd webuser
usermod -a -G nginx webuser
usermod -a -G uwsgi webuser

and I tried this:

grep avc /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp

EDIT

and I tried moving the sock file to /var/run/uwsgi/myapp.sock. In that case, nginx tells me: connect() to unix:/var/run/uwsgi/myapp.sock failed (13: Permission denied) while connecting to upstream

EDIT 2

and just for kix, I tried to use TCP port instead of a socket file. In that situation, I can use curl -XGET http://localhost:8000 and get the proper HTTP response from uwsgi/python. However, in the nginx log (when attempted to come in via the browser through nginx, I get: *1 connect() failed (111: Connection refused) while connecting to upstream The nginx file is configured like this: uwsgi_pass uwsgi://localhost:8000;

My answer:


You can’t put sockets for interprocess communication in /tmp.

RHEL/CentOS 7, Fedora, etc., use private /tmp directories, meaning each daemon configured for it (in this case, at least nginx) has a completely different view of /tmp than any other.

To resolve the problem, either place the socket in another directory or use TCP connections.

And don’t blindly audit2allow things without understanding what’s going on. You’ll likely open up some security hole.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.