After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.
sudo usermod -a -G developer user1
(add each user to developer group)
sudo chgrp -R developer /var/www/site.com/
so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/
so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads
so that www-data (apache/nginx) can create uploads.
Since git
runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.
Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories
The most secure way of doing it I would say is to have a group called git-readers
add git and www-data to it, then have the following folder structure:
/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git u=rwx,g=rwx,o=rx
This will allow www-data into the folder for reading, but only give the git user write access. Any other user can't do anything.
If you want to add additional writers, I would add another group git-writers and add the users and git to it as well as the git-readers group, then use the following structure:
/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git-writers u=rwx,g=rwxs,o=rx
Note the 's' in the group permissions. This makes the writer users use git-writers group as their default group. This will only work properly if the writers are all umask 0002.
Best Answer
How often do you have to do pull? You can make a cronjob (every 30 minutes or so) for your git user that checks a certain file. If that file has a 1 or in it, it makes a pull. You can give your git user and your www-data user access to this file. PHP writes a 1 into the file -> cronjob (crontab entry of git user) checks if a 1 is in the file -> cronjob clears the 1 -> git makes pull -> and so on This is a secure way with a little delay (cycle of cronjob). PS: dont forgot to clear the 1.