uwsgi_bind_sockets should not call uwsgi_as_root, it prevents drop-after-init and drop-after-apps

[RobertDeRose]

I had to add a bit of logging and some stack_trace print outs to figure this out, but, if you need your application to load as root, say to read a configuration file with sensitive data like a DB password, before privileges are dropped, using the --drop-after-apps option would appear to be the correct answer. Unfortunately, the default behavior or uWSGI causes this logic to get superseded in the core/socket.c:uwsgi_bind_sockets where it checks if uwsgi.chown_socket is true and then only cares if uwsgi.master_as_root is false, failing to ensure that uwsgi.drop_after_init and uwsgi_drop_after_app are also false.

Since uwsgi_setup and uwsgi_start already handle the privilege dropping by calling uwsgi_as_root in all the right places, the separate call to it should just be removed from the core/socket.c file altogether.

I have tested this change on Debian 8.7 using uWSGI 2.0.7 and the issues still appears in master.

Here is the log output with the stack_trace included after every call to uwsgi_as_root as well as some additional log statements for tracking:

Before Change

*** Starting uWSGI 2.0.7-debian (64bit) on [Tue May  2 14:24:57 2017] ***
compiled with version: 4.9.2 on 02 May 2017 14:24:45
os: Linux-3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07)
nodename: testnode
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 1
current working directory: /root/uwsgi-2.0.7
detected binary path: /root/uwsgi-2.0.7/uwsgi-core
your processes number limit is 3932
your memory page size is 4096 bytes
detected max file descriptor number: 65536
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to UNIX address /run/app/server.sock fd 3
inside `uwsgi_as_root`
./uwsgi-core(print_bt+0x11)[0x416a81]
./uwsgi-core(uwsgi_as_root+0x20)[0x41c1c0]
./uwsgi-core(uwsgi_bind_sockets+0x294)[0x4243f4]
./uwsgi-core(uwsgi_start+0x4f4)[0x462304]
./uwsgi-core(uwsgi_setup+0x105b)[0x46436b]
./uwsgi-core(main+0x9)[0x4167b9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7fe177b9bb45]
./uwsgi-core[0x4167e7]
setgid() to 65534
setuid() to 999
Python version: 3.4.2 (default, Oct  8 2014, 10:47:48)  [GCC 4.9.1]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0x1d32d90
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 145536 bytes (142 KB) for 1 cores
*** Operational MODE: single process ***
2017-05-02 14:24:58,203 - app - INFO - Started with uid of: 999
2017-05-02 14:24:58,203 - app - INFO - Dropped to uid of: 999
Traceback (most recent call last):
  File "./app.py", line 39, in <module>
    app.secret_key = _cfg("secret-key")
  File "/app/config.py", line 79, in _cfg
    if config.has_option("defaults", key):
AttributeError: 'NoneType' object has no attribute 'has_option'
unable to load app 0 (mountpoint='') (callable not found or import error)
*** no app loaded. going in full dynamic mode ***
Droping privileges after application initialization
inside `uwsgi_as_root`
./uwsgi-core(print_bt+0x11)[0x416a81]
./uwsgi-core(uwsgi_as_root+0x20)[0x41c1c0]
./uwsgi-core(uwsgi_start+0xe0d)[0x462c1d]
./uwsgi-core(uwsgi_setup+0x105b)[0x46436b]
./uwsgi-core(main+0x9)[0x4167b9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7fe177b9bb45]
./uwsgi-core[0x4167e7]
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 5078)
spawned uWSGI worker 1 (pid: 5080, cores: 1)

After Change

*** Starting uWSGI 2.0.7-debian (64bit) on [Tue May  2 14:33:09 2017] ***
compiled with version: 4.9.2 on 02 May 2017 14:24:45
os: Linux-3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07)
nodename: testnode
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 1
current working directory: /root/uwsgi-2.0.7
detected binary path: /root/uwsgi-2.0.7/uwsgi-core
your processes number limit is 3932
your memory page size is 4096 bytes
detected max file descriptor number: 65536
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to UNIX address /run/app/server.sock fd 3
Python version: 3.4.2 (default, Oct  8 2014, 10:47:48)  [GCC 4.9.1]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0xcaa3d0
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 145536 bytes (142 KB) for 1 cores
*** Operational MODE: single process ***
2017-05-02 14:33:10,535 - app - INFO - Started with uid of: 0
2017-05-02 14:33:10,536 - root - INFO - Dropping root
2017-05-02 14:33:10,536 - app - INFO - Dropped to uid of: 999
Droping privileges after application initialization
inside `uwsgi_as_root`
./uwsgi-core(print_bt+0x11)[0x416a81]
./uwsgi-core(uwsgi_as_root+0x20)[0x41c1c0]
./uwsgi-core(uwsgi_start+0xe0d)[0x462c1d]
./uwsgi-core(uwsgi_setup+0x105b)[0x46436b]
./uwsgi-core(main+0x9)[0x4167b9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f366ea02b45]
./uwsgi-core[0x4167e7]
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 6065)
spawned uWSGI worker 1 (pid: 6076, cores: 1)

[xrmx]

Any chance you can open a PR please?

[RobertDeRose]

Done @xrmx