Capifony setfacl权限:“不允许操作" [英] Capifony setfacl permissions: "Operation not permitted"

问题描述

我有一个用户didongo(用户&组didongo)和nginx服务器(用户&组www-data).我已经将Capifony设置为以didongo用户身份登录:第一次部署setfacl命令可以正常运行(而logs文件夹为空).但是，由nginx服务的Web应用程序生成了一些日志(prod.log)后，下一次部署失败，并出现setfacl错误.

I have a user didongo (user & group didongo), and the nginx server (user & group www-data). I've setup Capifony to login as didongo user: the first time I deploy setfacl command works ok (while the logs folder is empty). But after the web application, served by nginx, has generated some logs (prod.log) the very next deploy fails, with an setfacl error.

我确定我正在使用用户和Web服务器之间的权限执行noob错误，但是我看不到什么错误.我看到didongo应该不能更改他没有权限的文件的权限.但是，然后，我应该如何配置服务器或Capifony?

I'm sure I'm doing a noob error with the permissions between the user and the web server, but I don't see what error. I see that didongo should not be able to change permissions of a file he hasn't permissions to. But then, how I'm supposed to configure the server or Capifony?

谢谢！

相关(希望如此)Capifony deploy.rb配置:

Relevant (hope so) Capifony deploy.rb config:

set :user,                  "didongo"
set :webserver_user,        "www-data"
set :permission_method,     :acl
set :use_set_permissions,   true

set :shared_children,       [app_path + "/logs", web_path + "/uploads", "vendor"]
set :writable_dirs,         ["app/cache", "app/logs"]

这是Capifony错误:

This is the Capifony error:

$ setfacl -R -m u:didongo:rwx -m u:www-data:rwx /home/didongo/staging/shared/app/logs
setfacl: /home/didongo/staging/shared/app/logs/prod.log: Operation not permitted

ACL上的一些数据:

Some data on the ACL:

$ getfacl app/logs

# file: logs
# owner: didongo
# group: didongo
user::rwx
user:www-data:rwx
user:didongo:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:didongo:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

# file: logs/prod.log
# owner: www-data
# group: www-data
user::rw-
user:www-data:rwx               #effective:rw-
user:didongo:rwx                #effective:rw-
group::rwx                      #effective:rw-
mask::rw-
other::r--

推荐答案

最后，我管理了此操作，以与用户相同的权限创建了不同的PHP-FPM池.这样，我可以让不同的用户彼此分开.另外，deploy.rb也得到了简化.

Finally I managed this creating different PHP-FPM pools with the same permissions as the user. This way I can have different users separated from each other. And as a bonus deploy.rb is simplified.

这篇关于Capifony setfacl权限:“不允许操作"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！