It turns out this was quite specific to the context described above. I was using uWSGI to serve my site using emperor mode. I set the parameters uid=www-data and gid=www-data. I expected this to cause my vassal processes to have the permissions associated with the user and the group www-data as well as the permissions associated with any group to which www-data (the user) belongs. This assumption is incorrect. Vassals do not run (by default) with any supplementary group ids.

It turns out uWSGI (in recent versions) has a fix for this. You can manually specify add-gid=mygroup in the uWSGI configuration. You can specify this parameter many times to add as many gid's to a vassal process as your heart desires. This feature is only available as of uWSGI 1.9.15 so you might need to upgrade to use this approach.

Full writeup here.

I hope this helps someone!

It turns out this was quite specific to the context described above. I was using uWSGI to serve my site using emperor mode. I set the parameters uid=www-data and gid=www-data. I expected this to cause my vassal processes to have the permissions associated with the user and the group www-data as well as the permissions associated with any group to which www-data (the user) belongs. This assumption is incorrect. Vassals do not run (by default) with any supplementary group ids.

It turns out uWSGI (in recent versions) has a fix for this. You can manually specify add-gid=mygroup in the uWSGI configuration. You can specify this parameter many times to add as many gid's to a vassal process as your heart desires. This feature is only available as of uWSGI 1.9.15 so you might need to upgrade to use this approach.

Full writeup here.

It turns out this was quite specific to the context described above. I was using uWSGI to serve my site using emperor mode. I set the parameters uid=www-data and gid=www-data. I expected this to cause my vassal processes to have the permissions associated with the user and the group www-data as well as the permissions associated with any group to which www-data (the user) belongs. This assumption is incorrect. Vassals do not run (by default) with any supplementary group ids.

It turns out uWSGI (in recent versions) has a fix for this. You can manually specify add-gid=mygroup in the uWSGI configuration. You can specify this parameter many times to add as many gid's to a vassal process as your heart desires. This feature is only available as of uWSGI 1.9.15 so you might need to upgrade to use this approach.

Full writeup here.

I hope this helps someone!

It turns out this was quite specific to the context described above. I was using uWSGI to serve my site using emperor mode. I set the parameters uid=www-data and gid=www-data. I expected this to cause my vassal processes to have the permissions associated with the user and the group www-data as well as the permissions associated with any group to which www-data (the user) belongs. This assumption is incorrect. Vassals do not run (by default) with any supplementary group ids.

It turns out uWSGI (in recent versions) has a fix for this. You can manually specify add-gid=mygroup in the uWSGI configuration. You can specify this parameter many times to add as many gid's to a vassal process as your heart desires. This feature is only available as of uWSGI 1.9.15 so you might need to upgrade to use this approach.

Full writeup here.

I hope this helps someone!