问题
I have a user didongo
(user & group didongo
), and the nginx server (user & group www-data
). I've setup Capifony to login as didongo
user: the first time I deploy setfacl
command works ok (while the logs folder is empty). But after the web application, served by nginx, has generated some logs (prod.log) the very next deploy fails, with an setfacl
error.
I'm sure I'm doing a noob error with the permissions between the user and the web server, but I don't see what error. I see that didongo
should not be able to change permissions of a file he hasn't permissions to. But then, how I'm supposed to configure the server or Capifony?
Thanks!
Relevant (hope so) Capifony deploy.rb config:
set :user, "didongo"
set :webserver_user, "www-data"
set :permission_method, :acl
set :use_set_permissions, true
set :shared_children, [app_path + "/logs", web_path + "/uploads", "vendor"]
set :writable_dirs, ["app/cache", "app/logs"]
This is the Capifony error:
$ setfacl -R -m u:didongo:rwx -m u:www-data:rwx /home/didongo/staging/shared/app/logs
setfacl: /home/didongo/staging/shared/app/logs/prod.log: Operation not permitted
Some data on the ACL:
$ getfacl app/logs
# file: logs
# owner: didongo
# group: didongo
user::rwx
user:www-data:rwx
user:didongo:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:didongo:rwx
default:group::rwx
default:mask::rwx
default:other::r-x
# file: logs/prod.log
# owner: www-data
# group: www-data
user::rw-
user:www-data:rwx #effective:rw-
user:didongo:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r--
回答1:
Try this once with sudo and after you will no need to use sudo
sudo sh -c 'setfacl -R -m u:didongo:rwX -m u:www-data:rwX /home/didongo/staging/shared/app/logs'
Because you need to set x+
permissions, read this What is trailing Plus indicates
回答2:
Finally I managed this creating different PHP-FPM pools with the same permissions as the user. This way I can have different users separated from each other. And as a bonus deploy.rb is simplified.
回答3:
The problem here, is that prod.log
file was created automatically so its owner is www-data
. Capifony runs deployment as didongo
user. One user can't do setfacl
to the other owner's file.
So just add didongo
to the group www-data
: sudo adduser didongo www-data
来源:https://stackoverflow.com/questions/14718533/capifony-setfacl-permissions-operation-not-permitted