Ssh – Giving PHP the permission to make a git pull request

commandgitpermissionsPHPssh

I would like to allow PHP to execute a Git pull command. But there are some problems with the user and permissions. How did you solve the problem?

PHP runs as user www-data. Therefore I've changed the .git directory owner/group to www-data (chown www-data:www-data -R .git). As it is turned out later www-data has no SSH keys. Is it a good idea to give it one? If yes where to place? Or is it possible to allow it to use a specific key.

Best regards,
Bernd

Best Answer

How often do you have to do pull? You can make a cronjob (every 30 minutes or so) for your git user that checks a certain file. If that file has a 1 or in it, it makes a pull. You can give your git user and your www-data user access to this file. PHP writes a 1 into the file -> cronjob (crontab entry of git user) checks if a 1 is in the file -> cronjob clears the 1 -> git makes pull -> and so on This is a secure way with a little delay (cycle of cronjob). PS: dont forgot to clear the 1.

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Linux – correct file permissions for trac and git user to access gitolite server repos

The most secure way of doing it I would say is to have a group called git-readers

add git and www-data to it, then have the following folder structure:

/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git u=rwx,g=rwx,o=rx

This will allow www-data into the folder for reading, but only give the git user write access. Any other user can't do anything.

If you want to add additional writers, I would add another group git-writers and add the users and git to it as well as the git-readers group, then use the following structure:

/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git-writers u=rwx,g=rwxs,o=rx

Note the 's' in the group permissions. This makes the writer users use git-writers group as their default group. This will only work properly if the writers are all umask 0002.

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

Linux – correct file permissions for trac and git user to access gitolite server repos

Related Topic