capistrano-secure-permissions 1.2.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3b0391980a0f950b545b846f2fb1b1935e5ecf99
-  data.tar.gz: 63624be7ff0de60bbe5a97aba6bb762a88b039f2
+  metadata.gz: 45ea618cd36aac2f5a319755d586eda7c8ce1dec
+  data.tar.gz: f219c49087ce0654a45e12d81a61a133f8dc5ce1
 SHA512:
-  metadata.gz: 0b1b862142a6ed7b45655cf14ecf98ed081c2ffbbc77cfd18fc58ebb76d3dd5dc693b8836c2fa84a7ba4f95416e60df22e44245693f477b59e31cfe4b5f5434a
-  data.tar.gz: 7531f4b094620b88bd0a86d9ea78f3d15e95f671fed2474994382c0baecdab57e57c145c99bf67770ac986f193ef78739eed2ccd7f0d49255e07033e6225a3d4
+  metadata.gz: 21d27428483c309d431505c734c8285dc004e31c7800d00892ec20419c41eaa0bdca262e965bb61a2325013745fe51d88bdfa496c53724b1eed20e67de6c3320
+  data.tar.gz: e6fa904533cd9cad5f4dc8d285bbc4e3a86cc9307e98f39949b7f87365d9015f4b6605e20af591928456970e1f6d47c010b786fb5d8a07f139da492bed205bf4

data/VERSION

@@ -1 +1 @@
-1.2.0
+2.0.0

data/capistrano-secure-permissions.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: capistrano-secure-permissions 1.2.0 ruby lib
+# stub: capistrano-secure-permissions 2.0.0 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "capistrano-secure-permissions"
-  s.version = "1.2.0"
+  s.version = "2.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Rune Schjellerup Philosof"]
-  s.date = "2016-09-12"
+  s.date = "2016-11-29"
   s.description = "This gem makes it easy to run your app with a user that only has write permissions to the public folder"
   s.email = "rune.capistrano-secure-permissions@philosof.dk"
   s.extra_rdoc_files = [

data/lib/capistrano/tasks/secure-permissions.rake

@@ -4,24 +4,15 @@ namespace :deploy do
     on roles(:app) do |server|
       web_user = fetch(:web_user)
       app_user = fetch(:app_user)
-      deploy_user = server.user
-      linked_dirs = fetch(:linked_dirs)
 
-      # Set parent folders accessable by web_user.
-      parent_folders = [
-        release_path,
-        shared_path,
-      ]
-      parent_folders << "#{shared_path}/public" if linked_dirs.any? { |d| d.start_with?('public') }
-      execute :setfacl, "-m", "u:#{web_user}:x,u:#{deploy_user}:rx", *parent_folders
-      # Set all except public, tmp, and log readable by app_user.
-      execute :find, release_path, '-regex', '\./\(public\|tmp\|log\)', '-prune', '-o', '-user', deploy_user, '-print0', '|', 'xargs', '-0', '--no-run-if-empty', 'setfacl', '-m', "u:#{app_user}:rX"
-      # Set log and tmp writable by app_user.
-      execute :find, '-L', "#{release_path}/log", "#{release_path}/tmp", '-user', deploy_user, '-print0', '|', 'xargs', '-0', '--no-run-if-empty', 'setfacl', '-m', "u:#{app_user}:rwX"
+      execute :setfacl, '-m', "u:#{web_user}:x", release_path
+      # This is before symlinking, so we can do this recursively.
+      execute :setfacl, '-R', '-m', "u:#{web_user}:rx", release_path.join('public')
+      execute :setfacl, '-R', '-m', "u:#{app_user}:rx,d:u:#{app_user}:rx", release_path
     end
   end
 
-  after 'deploy:updated', 'deploy:secure_permissions'
+  before 'deploy:symlink:shared', 'deploy:secure_permissions'
 end
 
 namespace :secure_permissions do
@@ -34,17 +25,28 @@ namespace :secure_permissions do
     end
   end
 
-  desc 'Sets permissions on the public folder, only needs to be done once, not on every deploy. And there might be a lot of files, so it might take a while.'
+  desc 'Sets permissions on the shared folders, only needs to be done once, not on every deploy. And there might be a lot of files, so it might take a while.'
   task :setup do
     on roles(:app) do |server|
       web_user = fetch(:web_user)
       app_user = fetch(:app_user)
       deploy_user = server.user
+      # Public is writable by app_user by default, so exclude that one.
+      # To avoid going through the files twice.
+      writable_dirs = fetch(:writable_dirs, fetch(:linked_dirs)).
+        map { |dir| shared_path.join(dir) }.
+        delete_if { |dir| dir.start_with?('public/') }
+      # All of shared readable by app_user.
+      readable_dirs = shared_path.children().map(&:basename) - writable_dirs
 
+      execute :setfacl, '-m', "u:#{web_user}:x,d:u:#{web_user}:x,u:#{app_user}:rx,d:u:#{app_user}:rx", shared_path
+      execute :setfacl, '-R', '-m', "u:#{app_user}:rx,d:u:#{app_user}:rx", *readable_dirs
       # Set permissions for files in public, readable by web_user and writable by app_user.
-      execute :find, '-L', "#{release_path}/public", '-user', deploy_user, '-not', '-type', 'l', '-print0', '|', 'xargs', '-0', '--no-run-if-empty', 'setfacl', '-m', "u:#{web_user}:rX,u:#{app_user}:rwX"
-      # Set defaults for directories in public (that is permissions for new files made by the app).
-      execute :find, "#{shared_path}/public", '-user', deploy_user, '-type', 'd', '-print0', '|', 'xargs', '-0', '--no-run-if-empty', 'setfacl', '-m', "d:u:#{web_user}:rX,d:u:#{app_user}:rwX"
+      # Also make sure that deploy_user retains access, to the files that app_user creates.
+      execute :setfacl, '-R', '-m', "u:#{web_user}:rx,u:#{app_user}:rwx,u:#{deploy_user}:rwx,d:u:#{deploy_user}:rwx,d:u:#{web_user}:rx,d:u:#{app_user}:rwx", shared_path.join('public')
+      # Allow app_user access to writable_dirs in shared
+      # Also make sure that deploy_user retains access, to the files that app_user creates.
+      execute :setfacl, '-R', '-m', "u:#{app_user}:rwx,d:u:#{app_user}:rwx", *writable_dirs
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: capistrano-secure-permissions
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Rune Schjellerup Philosof
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-12 00:00:00.000000000 Z
+date: 2016-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rdoc