Starting point:
Ubuntu 20.04
Gitolite (/home/git/)
Webspace /var/www/webspace (usually owned by www-data:www-data)
Git user (in www-data group and also tried without beeing in group)
I want to update the webspace as git user with post-receive to a www-data directory. I had it archived before I installed Gitolite, but it doesn't seem to work the same way as it did before (or I am missing something). To make it clear: post-receive is executed after pushing (which it's normally not on Gitolite) ... was a hard time too to archive that.
Edit: To make it clear: I want to archive that Git and www-data can access and modify the same files.
What Ive tried:
chmod 777 -R /var/www/webspace (after this git can access but nginx returns with 403?)
Adding Git-User to www-data group
chown www-data:git -R /var/www/webspace
chown git:www-data -R /var/www/webspace
chown git:git -R /var/www/webspace
chown www-data:www-data -R /var/www/webspace (with and without git inside group)(with and without 777)
Executing post-receive manually (Operation not permitted)
Executing post-receive manually as root (well ... works of course, but thats not the point)
... maybe also some steps more which Im maybe missing rn
What Ive noticed so far:
On the contrary to Git, Gitolite checks the repo out with -rw------ (If i remember correctly), maybe that is why its not working with gitolite but with Git
The code (not that it would be important, but just to list everything):
post-receive
#!/bin/sh
GIT_WORK_TREE=/var/www/webspace git checkout -f
Maybe Im just missing something, but please help me.
Try and follow "adding other (non-update) hooks" in order for Gitolite to call the relevant post-receive hook.
add this line in the rc file, within the %RC block, if it's not already present, or uncomment it if it's already present and commented out:
LOCAL_CODE => "$ENV{HOME}/local",
put your hooks into that directory, in a sub-sub-directory called "hooks/common":
# log on to gitolite hosting user on the server, then:
cd $HOME
mkdir -p local/hooks/common
cp your-post-receive-hook local/hooks/common/post-receive
chmod +x local/hooks/common/post-receive
run gitolite setup to have the hooks propagate to existing repos (repos created after this will get them anyway).
Add user (git in my case) to group of webspace (www-data for me)
sudo usermod -a -G www-data git
If you were logged in as user logout to reload the group.
logout
#or
exit
#or
CTRL+A+D
(If you want to recheck the group login as this user and type "groups" to see the groups the user is in)
Make sure the webspace is owned by the correct group. For me:
sudo chown www-data:www-data -R /var/www/webspace
(If you want to recheck this you can go in the directory and type "ls -g")
In my case I had to modify my "post-receive" a bit, because the permissions were always -rw----- after checking out, so here is my "post-receive":
#!/bin/sh
GIT_WORK_TREE=/var/www/webspace git checkout -f #default line to checkout
chmod -R a+r /var/www/webspace #added by me because of permission issues
For convenience I had my "post-receive" in the repo directory (/home/git/repositories/repo/hooks/post-receive). The docs tell you to create a new folder (/home/git/local/specific-hooks/repo/post-receive (but they tell to name it on your own))
*All paths, names, groups and permissions written above only apply to me. They may differ for you installation.
What really solved my problem:
Logout after you change groups
Change permission (chmod) in post-receive
Related
I want to create an own git server. I started with a root user and here is the following I did:
mkdir /srv/git/project.git
useradd -r -d /srv/git git
passwd git
Now I have a new user git (can log in via su git from my root account).
I want to login via git#mywebsite.com without the use of a password. Right now, it will ask for a password every time.
For root, I have my SSH public key in .ssh/authorized_keys. The key should also work for git. Do I have to add another authorized_keys file for this git user? With my useradd command, I do not create a home directory where I could add it, so where should it go?
Thank you all for your help!
Run sudo tail -f /var/log/auth.log and attempt to login once more from a different console. You will see now the lag that should tell you why exactly the login was denied.
In my case there were wrong permissions for the home folder.
You did create a home directory, it just isn't sitting under /home.
/srv/git
Under that directory create a .ssh directory, fix the permissions:
mkdir /srv/git/.ssh
chmod 0700 /srv/git/.ssh
Create a new authorized_keys file with the public key in it, fix the permissions:
vim /srv/git/.ssh/authorized_keys # or method of your choice
chmod 0600 /srv/git/.ssh/authorized_keys
I am new to linux and I am trying to clone a project into a folder that am currently in contained in opt/lampp/htdocs using the command git clone git#gitlab.com:whatever . but i am getting a permission denied error. What can i do to resolve this issue
update httpd.conf
sudo gedit /opt/lampp/etc/httpd.conf
Find
User nobody
Group nogroup
Replace nobody with your username
Change the ownership of htdocs
sudo chown -R username:username /opt/lampp/htdocs
Change the file permissions of htdocs folder
sudo chmod -R 775 /opt/lampp/htdocs/
Restart your machine
Clear your browser cache
You can also give the folder full permissions like this:
sudo chmod -R 777 /opt/lampp/htdocs/
or sudo chown -R $USER:$USER /opt/lampp/htdocs
I already have my username correctly wrote in user in the httpd.conf file, and still had the same problem. Finally, I found the solution changing the port number:
In the same file look for Local:8888 and change 8888 to 80
try to give full permission to your htdocs folder
sudo chmod 777 opt/lampp/htdocs
Then it will ask for password enter and go ahead. learn More Here :)
Permission denied is exactly what it says. You do not have permission to write to this folder. You can either git clone the repo as a root using sudo git clone (...) or change permissions to this folder. sudo chmod a+w <path> and then git clone it normally. You can also clone the repository to some other folder to which you already have permissions to write to.
I'm limiting permissions on a certain file, settings.py in my svn-linked directory so that it can only be read by sudo users and apache, which goes by the username, www-data. So, on settings.py, I've set sudo chmod 640 settings.py and sudo chown www-data:www-data settings.py. I still want my unprivileged users to be able to svn update and svn commit, so with sudo visudo, I've set
unprivileged_user ALL = /usr/bin/svn commit *, /usr/bin/svn update *, \
/usr/bin/svn update
so that this user can still do sudo svn commit and sudo svn update. It won't be able to do plain svn commit or svn update because of the limited permissions on settings.py. If the unprivileged user tries to do that, there will be a message from svn that says the working copy is locked. I've noticed however that when I do sudo svn update, the unprivileged_user is updating as root and as a result the file that are updated from the svn repository are now owned by root:root with 644 privileges. This goes against what I'm trying to with making settings.py owned by www-data:www-data. What can I do to make it so that www-data is always the owner and the rwx prvileges remain the same?
The www-data user will have a different UID on each system it is on, making it effectively a new user on each system. You cannot predict which user this will be so you cannot set the owner appropriately. Whoever checks it out will be the owner.
Furthermore, svn does not track permissions. It only tracks whether or not a file is executable. The permissions that the file comes with are determined by your umask.
Use an script instead which do the update and reset the permission.
svnupdate.sh:
#!/bin/bash
MY_PROJ_PATH=/home/.... # Put you path here
pushd $MY_PROJ_PATH
svn update $* && chown -R www-data. . && chmod 640 settings.py
popd
also make sure chmod 750 /usr/local/bin/svnupdate.sh to prevent security issue on sudo command
and also update the sudoeres files:
unprivileged_user ALL = /usr/bin/svn commit *, /usr/local/bin/svnupdate.sh
Here's what I have right now. I'm using a post svn update hook, and I don't know how secure it is. This is for svn update only. Please feel free to state your opinions on this.
In usr/local/bin, I create ssh-action.sh based off of this:
http://top-frog.com/2009/04/23/client-side-pre-and-post-svn-hooks-with-unix-aliases/
My actual ssh-action.sh looks like this:
#!/bin/bash
REAL_SVN='/usr/bin/svn';
BASE_PATH='/home/unprivileged_user/test_svn/';
$REAL_SVN $#;
wait;
# post-svn actions
if [ $1 = 'up' ] || [ $1 = 'update' ]; then
find -L $BASE_PATH -type f -name 'settings.py' -exec bash -c 'sudo chmod 0400 $0 && sudo chown www-data $0; sudo chgrp www-data $0' '{}' \;
fi
Then in sudo visudo, I add this to the bottom:
unprivileged_user ALL = NOPASSWD: /bin/chown www-data */test_svn/settings.py, /bin/chmod 0400 */test_svn/settings.py, /bin/chgrp www-data */test_svn/settings.py
Next, cd /home/unprivileged_user, open .bashrc , and add this to the bottom:
alias svn = /usr/local/bin/ssh-action.sh
Afterward, I need to make .bashrc immutable so that the unprivileged can't edit it to bypass my svn hook. I do this with sudo chattr +i .bashrc
With this hopefully whenever the unprivileged_user tries to svn update the test_svn working copy, settings.py will be owned by www-data:www-data with 400 permissions. What do you guys think? Are there any security flaws here? Thanks.
I seem to have permissions issue with a git repository.
I git this error when I pull in a directory my Linux user did not create.
fatal: Unable to create '/home/---/.git/ORIG_HEAD.lock': Permission denied
My user is a member of a group called grp. I changed every file to grp:grp and I still cannot pull.
Is there any thought on why this happens? For what it's worth I changed the actual /git/REPOSITORY files also to grp:grp.
Of course, when I use sudo I can pull fine but I prefer not to do it this way.
User: root
1) rm -f ./git/ORIG_HEAD.lock
2) chown -R MY_USER_NAME ./git*
3) chgrp -R MY_USER_NAME ./git*
4) git pull
Goal: update /var/www with latest on svn commit.
ubuntu server 10.10, latest apache2, latest svn, location: /var/svn/[projectname]
To do this I created a simple post-commit script:
#!/bin/bash
#tests if www-data user runs this script on commit (which it does)
touch /tmp/test.log
#works when run from the command line (sudo ./post-commit) but not when run by www-data
sudo /usr/bin/svn update /var/www
To fix the issue of the second command not working as www-data I tried...
Editing: sudo visudo and added (at the end): www-data ALL=(ALL) NOPASSWD:ALL
Chowning: /var/www to www-data:www-data
Chmoding: all of /var/www to 777
Still no luck... any ideas?
What if you run this:
su - www-data -c '/usr/bin/svn update /var/www'
(The sudo is not needed if /var/www/ is 777 and owned by www-data..)
As the root user? (then it suid()s as www-data and run the command).
It should give more information on what does actually fail.
Or, you could try logging the svn update output from your post-commit hook:
/usr/bin/svn update /var/www &> /tmp/my-svn-update.log
I think that these two tests should give you more informations on what happened.
SIDE NOTE: I'm not sure you really want to take the risk of having www-data able to run any command as the root user.. If you absolutely need to have it run svn as root (I don't see the point there, but it could be), just use this in your /etc/sudoers:
www-data ALL=NOPASSWD: /usr/bin/svn
I went first with the logging mechanism you suggested and that helped fix it! Thank you!
The outputted error had something to do with an filename in the repro which couldn't be converted to UTF-8. I deleted the file and it worked. But why it worked when calling post-commit directly... I've no clue.
BTW, I was mistaken about it being bash (it was sh) so I had to change &> to 2>
Also, I deleted the checked out files, reset the permissions and owner back to normal on /var/www and then checked them out again.
my final sudoers line:
www-data ALL=NOPASSWD:/usr/bin/svn update /var/www
Thanks so much for the help!