UNIX – How to give user rights over another user and so I don’t need to sudo or type password

githookpermissionsunix

I have 2 users in question

• git user – used for gitosis – so it's a No password user and it can be accessed only through root…

• user user – where my files reside

so what I would like to do is give the user git rights to navigate to a luddico folder like this

git@domain.me:~/respositories# cd /home/user/websites/domain.com

and then perform any action inside the user user files (any file/folder)
so this way I can for example

git@domain.com:/home/user/websites/domain.com#  git pull

because actually the action metioned above, returns:

error: cannot open .git/FETCH_HEAD: Permission denied

so when I ask for actions like this, it requests git's password which btw doesn't have any, or cancel it straight away

so How could I configure the user git to have like root/admin rights over the user user without need to provide any password or sudo before the commands?
just like if it was root

It would be even nicer if there is a way to just allow specific commands from git to user

Thanks in advance

Best Answer

As requested, a bit of a tutorial on groups. Hopefully this isn't too elementary.

By default, most user accounts are also part of a group of the same name. To determine what groups an account is a member of, use the groups command.

# groups root
root : root bin daemon sys adm disk wheel

The first one listed is the primary group, and will be the default group owner of any files that user creates. That's listed in the output of ls as the second 'root' entry.

# touch testfile
# ls -l testfile
-rw-r--r--  1 root root 19 Jan 29 08:37 testfile

In order to add a user to a group, you use usermod as shown. The lowercase "-g" flag you gave it changes the primary group. It may be better to change just a secondary one, using the "-G" and "-a" flag. Namely, to put the git user into luddico's group.

# usermod -G luddico -a git
# groups git
git : git luddico

This should give git access to any files that are owned by the luddico group, and have appropriate group permissions. Group permissions are the second "rwx" set listed in ls. The testfile I showed above only allows read access by the root group. If you wanted to give all members of that group write access, you would have to use chmod for that.

# ls -l testfile
-rw-r--r--  1 root root 19 Jan 29 08:37 testfile
# chmod g+w testfile
# ls -l testfile
-rw-rw-r--  1 root root 19 Jan 29 08:37 testfile

Now anyone in the root group can read or write to testfile. Apply the same concept to Luddico's files.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Linux – How to Set Up Permissions for the WWW Folder

Related Topic