[uWSGI] before_privileges_drop in python

Roberto De Ioris roberto at unbit.it
Mon Oct 14 20:03:31 CEST 2013


> I am looking at the recent check-ins related to hooks. These look really
> promising.
>
> My previous pull request contained a python hook for as_root which allowed
> us to hook before dropping privs.
>
> We are effectively looking to have something like the following in our
> production.wsgi config
>
> from uwsgidecorators import before_privilege_drop
>
> @before_privilege_drop
> def root_required_initialization():
>     ... do stuff ...
>
>
> Is the preferred method to do this as a C module and hook in via the
> as_root hooks or to extend the python plugin to provide this new hook akin
> to post_fork
> _______________________________________________
> uWSGI mailing list
> uWSGI at lists.unbit.it
> http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
>

Hi, the problem is that in the before_privilege_drop phase there is no
python vm available (it is created 2 phases later)

The only "clean" solution coming to my mind is using --master-as-root, so
application loading happens as root while workers run as unprivileged
user.

A less "clean" solution could be calling

Py_Initialize()
call_your_code()
Py_Finalize()

as a hook, but i do not know if re-calling Py_Initialize() after
Py_Finalize() is totally safe

-- 
Roberto De Ioris
http://unbit.it


More information about the uWSGI mailing list