Setting POSIX Capabilities
==========================

`POSIX capabilities`_ allow fine-grained permissions for processes. In addition
to the standard UNIX permission scheme, they define a new set of privileges for
system resources.  To enable capabilities support (Linux Only) you have to
install the ``libcap`` headers (``libcap-dev`` on Debian-based distros) before
building uWSGI.  As usual your processes will lose practically all of the
capabilities after a ``setuid`` call. The uWSGI ``cap`` option allows you to
define a list of capabilities to maintain through the call.  

For example, to allow your unprivileged app to bind on privileged ports and set
the system clock, you will use the following options.

.. code-block:: sh

  uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time

All of the processes generated by uWSGI will then inherit this behaviour.  If
your system supports capabilities not available in the uWSGI list you can
simply specify the number of the constant:

.. code-block:: sh

  uwsgi --socket :1000 --uid 5000 --gid 5000 --cap net_bind_service,sys_time,42

In addition to ``net_bind_service`` and ``sys_time``, a new capability numbered '42' is added.

.. _POSIX capabilities: http://en.wikipedia.org/wiki/Capability-based_security

Available capabilities
----------------------


This is the list of available capabilities.

==================  ======================
audit_control       CAP_AUDIT_CONTROL
audit_write         CAP_AUDIT_WRITE
chown               CAP_CHOWN
dac_override        CAP_DAC_OVERRIDE
dac_read_search     CAP_DAC_READ_SEARCH
fowner              CAP_FOWNER
fsetid              CAP_FSETID
ipc_lock            CAP_IPC_LOCK
ipc_owner           CAP_IPC_OWNER
kill                CAP_KILL
lease               CAP_LEASE
linux_immutable     CAP_LINUX_IMMUTABLE
mac_admin           CAP_MAC_ADMIN
mac_override        CAP_MAC_OVERRIDE
mknod               CAP_MKNOD
net_admin           CAP_NET_ADMIN
net_bind_service    CAP_NET_BIND_SERVICE
net_broadcast       CAP_NET_BROADCAST
net_raw             CAP_NET_RAW
setfcap             CAP_SETFCAP
setgid              CAP_SETGID
setpcap             CAP_SETPCAP
setuid              CAP_SETUID
sys_admin           CAP_SYS_ADMIN
sys_boot            CAP_SYS_BOOT
sys_chroot          CAP_SYS_CHROOT
sys_module          CAP_SYS_MODULE
sys_nice            CAP_SYS_NICE
sys_pacct           CAP_SYS_PACCT
sys_ptrace          CAP_SYS_PTRACE
sys_rawio           CAP_SYS_RAWIO
sys_resource        CAP_SYS_RESOURCE
sys_time            CAP_SYS_TIME
sys_tty_config      CAP_SYS_TTY_CONFIG
syslog              CAP_SYSLOG
wake_alarm          CAP_WAKE_ALARM
==================  ======================