Capifony setfacl permissions: “Operation not permitted”

非 Y 不嫁゛ 提交于 2019-12-31 02:08:37

问题


I have a user didongo (user & group didongo), and the nginx server (user & group www-data). I've setup Capifony to login as didongo user: the first time I deploy setfacl command works ok (while the logs folder is empty). But after the web application, served by nginx, has generated some logs (prod.log) the very next deploy fails, with an setfacl error.

I'm sure I'm doing a noob error with the permissions between the user and the web server, but I don't see what error. I see that didongo should not be able to change permissions of a file he hasn't permissions to. But then, how I'm supposed to configure the server or Capifony?

Thanks!

Relevant (hope so) Capifony deploy.rb config:

set :user,                  "didongo"
set :webserver_user,        "www-data"
set :permission_method,     :acl
set :use_set_permissions,   true

set :shared_children,       [app_path + "/logs", web_path + "/uploads", "vendor"]
set :writable_dirs,         ["app/cache", "app/logs"]

This is the Capifony error:

$ setfacl -R -m u:didongo:rwx -m u:www-data:rwx /home/didongo/staging/shared/app/logs
setfacl: /home/didongo/staging/shared/app/logs/prod.log: Operation not permitted

Some data on the ACL:

$ getfacl app/logs

# file: logs
# owner: didongo
# group: didongo
user::rwx
user:www-data:rwx
user:didongo:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:didongo:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

# file: logs/prod.log
# owner: www-data
# group: www-data
user::rw-
user:www-data:rwx               #effective:rw-
user:didongo:rwx                #effective:rw-
group::rwx                      #effective:rw-
mask::rw-
other::r--

回答1:


Try this once with sudo and after you will no need to use sudo

sudo sh -c 'setfacl -R -m u:didongo:rwX -m u:www-data:rwX /home/didongo/staging/shared/app/logs'

Because you need to set x+ permissions, read this What is trailing Plus indicates




回答2:


Finally I managed this creating different PHP-FPM pools with the same permissions as the user. This way I can have different users separated from each other. And as a bonus deploy.rb is simplified.




回答3:


The problem here, is that prod.log file was created automatically so its owner is www-data. Capifony runs deployment as didongo user. One user can't do setfacl to the other owner's file.

So just add didongo to the group www-data: sudo adduser didongo www-data



来源:https://stackoverflow.com/questions/14718533/capifony-setfacl-permissions-operation-not-permitted

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!