Skip to content

Add writable_acl_force to force ACL reset on writable dirs #4140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
antonmedv merged 3 commits into from
Dec 8, 2025
+21 −5
Merged

Add writable_acl_force to force ACL reset on writable dirs #4140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f26ac57
Add writable_acl_force to force ACL reset on writable dirs
Dec 5, 2025
8eb9153
Update recipe/deploy/writable.php
ianbeu Dec 5, 2025
5ee0769
Improve writable_acl_force setting documentation
Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
.phpunit.result.cache
docker-compose.override.yml
.php-cs-fixer.cache
.idea/
12 changes: 11 additions & 1 deletion docs/recipe/deploy/writable.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,21 @@ List of additional groups to give write permission to.



### writable_acl_force
[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65)

Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions.

```php title="Default value"
false
```



## Tasks

### deploy\:writable {#deploy-writable}
[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65)
[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L68)

Makes writable dirs.

Expand Down
13 changes: 9 additions & 4 deletions recipe/deploy/writable.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@
// List of additional groups to give write permission to.
set('writable_acl_groups', []);

// Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions.
set('writable_acl_force', false);

desc('Makes writable dirs');
task('deploy:writable', function () {
$dirs = join(' ', get('writable_dirs'));
Expand Down Expand Up @@ -121,14 +124,16 @@
if (empty($sudo)) {
// When running without sudo, exception may be thrown
// if executing setfacl on files created by http user (in directory that has been setfacl before).
// These directories/files should be skipped.
// Now, we will check each directory for ACL and only setfacl for which has not been set before.
// These directories/files should be skipped unless forcing ACL reset.
// Now, we will check each directory for ACL and only setfacl for which has not been set before,
// unless writable_acl_force is enabled.
$writeableDirs = get('writable_dirs');
$forceAcl = get('writable_acl_force');
foreach ($writeableDirs as $dir) {
// Check if ACL has been set or not
$hasfacl = run("getfacl -p $dir | grep \"^user:$httpUser:.*w\" | wc -l");
// Set ACL for directory if it has not been set before
if (!$hasfacl) {
// Set ACL for directory if it has not been set before or if forcing ACL reset
if ($forceAcl || !$hasfacl) {
run("setfacl -L $recursive $setFaclUsers $setFaclGroups $dir");
run("setfacl -dL $recursive $setFaclUsers $setFaclGroups $dir");
}
Expand Down