Lighttpd

You really shouldn't have lighttpd spawn backends if your care that much (but I also think "manual" spawning is generally the better concept anyway).

If you're on systemd try Systemd, otherwise spawn-fcgi itself is a good start.

I have sysvinit. So I'll look at spawn-fcgi. Thanks.

After a quick glance: the problem seems to be similar using spawn-fcgi. How can I make it spawn my backend with selected capabilities set? The command line arguments only allow control over uid and gid.

I actually only need one single, local backend thread. Can I start it without spawn-fcgi? If so, what do I need to do? I use the fastcgi/wsgi package "flipflop.py" to create a fastcgi server from my Python Flask backend. Looking at the flipflop.py sourcecode it seems to expects a unix socket as stdin(?) So - I create a unix socket in the right place, open it, and pass the file descriptor as stdin? That's it?

I think spawn-fcgi doesn't enforce dropping privs, so just use spawn-fcgi to bind a socket and pass it to your priv-dropping+capability-setting script (running still as root with full caps), which then can start the actual backend.

spawn-fcgi only serves as a startup wrapper, it shouldn't keep running. It really only binds the listening socket to fd 0 and calls the next program (and maybe chowns the socket, and unless passed -n "daemonizes").

True, that worked, and thanks for explaining what spawn-fcgi actually does.

I ended up implementing what I need in my Python fcgi script instead, eliminating the need for spawn-fcgi, and used start-stop-daemon in sysvinit script to control it. Seems to work, and I feel in full control of privileges, sockets, paths, environment etc. I used libcap-ng-python which simplified things considerably.