Problem
Capistrano deploys a web application via SSH using deploy
user.
Apache/PHP runs under typical www-data
user.
Web server is creating cache files and folders at runtime inside the app path. Example:
-rw-r--r-- 1 www-data www-data 71758 Apr 29 14:33 /var/www/site.com/releases/20140429183204/cache/twig/9e/dd/fd353a4ff2520b59144be49f4a6e.php
Capistrano deploy:cleanup
attempts to delete olders releases, which contains theses cache files but fails since user deploy
has no write permission on the cache files.
Error reported:
cannot remove `/var/www/site.com/releases/20140429183204/cache/twig/9e/dd/fd353a4ff2520b59144be49f4a6e.php' : Permission denied
Usual solution, ACL
My usual solution for this was to set deploy
in www-data
group and www-data
in deploy
group and set ACLs so new files/folders always get group-write rights.
My current server filesystem doesn't support acl…
Attempted solution, sticky bit
My attempt was to set a sticky bit on the whole app folder. This was attempted while both users are in the other's group.
chmod -R g+rwsx /var/www/site.com
This works well for new files, but sticky bit doesn't propagate to new folder (which is my problem)
tl;dr
How to set up permissions so Capistrano(via SSH with user deploy
) delete files and folders created by Apache with user www-data
.
Best Answer
Best solution so far is to use the PHP umask function at the beginning of each script.
This ensure all files and folders created under normal circumstances have group-write permission and execute bit so content is list-able.
Yet this could cause problems with libraries ignoring the umask and applying permissions manually.