[Flask] Uwsgi emperor socket creation permissions

[Corey Boyle]

So I am trying to setup Uwsgi / Emperor for multiple apps each running
under their own user account.

I have the Emperor running as root in tyrant mode, and it's starting
the vassels and running them with their own accounts.

The trouble I have is the permissions on the sockets created by the
vassels. If I set chmod-socket = 666 everything works fine. The socket
is created with the vassels user and group, but Nginx (and everyone
else) is able to read/write because of the world permissions.

I just don't think that's a good situation.

What I can't figure out is how to have the vassels create the sockit
with permissions that will allow the appuser(uwsgi) and Nginx to
read/write, but keep everyone else out.

I tried using chown-socket = appuser:www-data, but that doesn't work
because appuser is not a member of the www-data group and therefore
can't set is as group.


Any suggestions?