From f26ac57c638baae741167bbc08afd731eb414ea3 Mon Sep 17 00:00:00 2001 From: Ian Beuchel Date: Fri, 5 Dec 2025 09:50:44 +0100 Subject: [PATCH 1/3] Add writable_acl_force to force ACL reset on writable dirs --- .gitignore | 1 + docs/recipe/deploy/writable.md | 12 +++++++++++- recipe/deploy/writable.php | 11 ++++++++--- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 6822a2688..8669ffead 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ .phpunit.result.cache docker-compose.override.yml .php-cs-fixer.cache +.idea/ diff --git a/docs/recipe/deploy/writable.md b/docs/recipe/deploy/writable.md index beaa2ac9d..e6e696377 100644 --- a/docs/recipe/deploy/writable.md +++ b/docs/recipe/deploy/writable.md @@ -98,11 +98,21 @@ List of additional groups to give write permission to. +### writable_acl_force +[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65) + +Force setting ACLs even when writable dirs already have them. + +```php title="Default value" +false +``` + + ## Tasks ### deploy\:writable {#deploy-writable} -[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65) +[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L68) Makes writable dirs. diff --git a/recipe/deploy/writable.php b/recipe/deploy/writable.php index b591c1b08..65d8fb4de 100644 --- a/recipe/deploy/writable.php +++ b/recipe/deploy/writable.php @@ -61,6 +61,9 @@ // List of additional groups to give write permission to. set('writable_acl_groups', []); +// Force setting ACLs even when writable dirs already have them. +set('writable_acl_force', false); + desc('Makes writable dirs'); task('deploy:writable', function () { $dirs = join(' ', get('writable_dirs')); @@ -121,14 +124,16 @@ if (empty($sudo)) { // When running without sudo, exception may be thrown // if executing setfacl on files created by http user (in directory that has been setfacl before). - // These directories/files should be skipped. - // Now, we will check each directory for ACL and only setfacl for which has not been set before. + // These directories/files should be skipped unless forcing ACL reset. + // Now, we will check each directory for ACL and only setfacl for which has not been set before, + // unless writable_acl_force is enabled. $writeableDirs = get('writable_dirs'); + $forceAcl = get('writable_acl_force'); foreach ($writeableDirs as $dir) { // Check if ACL has been set or not $hasfacl = run("getfacl -p $dir | grep \"^user:$httpUser:.*w\" | wc -l"); // Set ACL for directory if it has not been set before - if (!$hasfacl) { + if ($forceAcl || !$hasfacl) { run("setfacl -L $recursive $setFaclUsers $setFaclGroups $dir"); run("setfacl -dL $recursive $setFaclUsers $setFaclGroups $dir"); } From 8eb9153a9fc926493fdbc5d2cf57b8b3cb503503 Mon Sep 17 00:00:00 2001 From: Ian Beuchel Date: Fri, 5 Dec 2025 10:04:25 +0100 Subject: [PATCH 2/3] Update recipe/deploy/writable.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- recipe/deploy/writable.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipe/deploy/writable.php b/recipe/deploy/writable.php index 65d8fb4de..989fbb9a6 100644 --- a/recipe/deploy/writable.php +++ b/recipe/deploy/writable.php @@ -132,7 +132,7 @@ foreach ($writeableDirs as $dir) { // Check if ACL has been set or not $hasfacl = run("getfacl -p $dir | grep \"^user:$httpUser:.*w\" | wc -l"); - // Set ACL for directory if it has not been set before + // Set ACL for directory if it has not been set before or if forcing ACL reset if ($forceAcl || !$hasfacl) { run("setfacl -L $recursive $setFaclUsers $setFaclGroups $dir"); run("setfacl -dL $recursive $setFaclUsers $setFaclGroups $dir"); From 5ee07696279014dc4bac8dd7942f93236a7c7cbf Mon Sep 17 00:00:00 2001 From: Ian Beuchel Date: Mon, 8 Dec 2025 10:34:45 +0100 Subject: [PATCH 3/3] Improve writable_acl_force setting documentation --- docs/recipe/deploy/writable.md | 2 +- recipe/deploy/writable.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/recipe/deploy/writable.md b/docs/recipe/deploy/writable.md index e6e696377..80bcfc170 100644 --- a/docs/recipe/deploy/writable.md +++ b/docs/recipe/deploy/writable.md @@ -101,7 +101,7 @@ List of additional groups to give write permission to. ### writable_acl_force [Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65) -Force setting ACLs even when writable dirs already have them. +Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions. ```php title="Default value" false diff --git a/recipe/deploy/writable.php b/recipe/deploy/writable.php index 989fbb9a6..d1d6d4e5d 100644 --- a/recipe/deploy/writable.php +++ b/recipe/deploy/writable.php @@ -61,7 +61,7 @@ // List of additional groups to give write permission to. set('writable_acl_groups', []); -// Force setting ACLs even when writable dirs already have them. +// Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions. set('writable_acl_force', false); desc('Makes writable dirs');