Problems with file hooks and permissions in GitLab - gitlab

I run my own GitLab server and setup a file hook which is supposed to access some files in my users directory. The file hook is executed by the git user, so I get a permission denied.
A certain process foo, which places some files in my user directory which the file hook is supposed to read does not give me the option to add another group to the created files.
Does anyone have an idea how to solve this issue?

Beside:
using sudo, meaning having a sudoers in place, authorizing git to copy foo's files
modifying the ACL (setfacl), to add git as an authorized user to read those files
there is no GitLab-specific solution, only Linux-based ones.

Related

Doing a 'git pull' with Apache from a Bash script

I have a Git repository on Bitbucket named "foo-apps". I have a Linux web server with a local clone of this repository, and I want this server's associated Apache web page to do some Git commands with this repository, such as git pull and git checkout, via a Bash script. The problem is, only the user "foo" has permission to associate with the "foo-apps" repository, and the web page runs as the Apache user, "www-data".
It seems that www-data can do git log and some other commands on the local repository, but not the git pull or the git checkout command. (Just so you know my system: I have an HTML file that contains JavaScript, which contains an AJAX request, which calls a PHP file, which calls my Bash script, which has the Git commands in it.)
What are some ways that I can successfully get those Git commands to work when the process is triggered by the web interface? I am not opposed to any working suggestions, even if they include a complete overhaul of my system... however, I would like to have the simplest effective solution with what I've already got.
Here are some ideas I've thought of and tried out a bit. None of them seem to work, but keep in mind that I've only "half tried" them as I didn't have confidence I was using preferred methods:
Giving www-data permission on my Bitbucket repository
Giving Apache access to foo's ssh keys
Somehow switching to user foo in the script, like with sudo, su, etc.. (I think this type of thinking is more along the lines of what I want... I don't have a lot of control over the settings of the Bitbucket repository. I am fine putting a password in a script, too.)
This web server is on a closed network, and security is not a very high concern for me.
I don't know if it's useful, but here are some of the main Git related errors I've received when trying these methods:
error: cannot open .git/FETCH_HEAD: Permission denied
fatal: BUG: get_tempfile_fd() called for inactive object
/usr/bin/git: /usr/bin/git: cannot execute binary file
I found the answer on this page (thanks odyniec).
I had to add this line to the /etc/sudoers file:
www-data ALL=(foo) NOPASSWD: /var/www/html/my_bash_script.sh
This let Apache have the permission to run that specific script I wanted. And then from my PHP file, instead of running
shell_exec("/var/www/html/my_bash_script.sh");
I had to run
shell_exec("sudo -u foo /var/www/html/my_bash_script.sh");
This answer seems secure and simple.

Permissions to delete generated files from another user in linux (gitlab-runner)

Im using gitlab-runner to deploy my php application to nginx web server.
To deploy im using this steps:
1. delete all files in folder /var/www/site
2. move files from gitlab repository to /var/www/site
All these actions are performed only after pushing to repository new changes.
I have a problem. Files that copied to /var/www/site owned by gitlab-runner.
After uploading file from post form, files owned by www-data (nginx user).
After next push, gitlab cant deploy because it's failed on first step. user gitlab-runner hasn't right to delete www-data files.
I cant change nginx user to gitlab-runner for a reason, and i don't know how to change gitlab-runner to another user.
Anyone can help me?
You can use the command chown to change the owner of a file.
chmod uu:gg will set the owner of the file to uu and the group to gg.
You can change permissions of a file with chmod command.
chmod g+w will give write access to file to users of the group of
With this commands you should be able to set the group of the files to a group compatible with git-lab (check initial group of files with ls -l command)

How to use to make a file executable on Openshift server after pushing it via git

The original poser is found here.
I want to ensure my index.cgi is set to 755, even afer i push files to git.
This is not happening and the file permission , based on the umask i understand is getting set to 700.
I am unable to create the post-update script on the server , which is to be kept at openshift/hooks location, due to the set permissions.
So i tried using action hooks to do the job.
I created a file named stop in my action hooks local folder.
Following this i pushed my index file to the server.
My index file still shows permission as 700.
How can i resolve this ?
Try updating the permissions in git.
git update-index --chmod=<permissions> <your_file>

Allowing jenkins to access contents of currently logged in user folder

I am using Jenkins to build my project in a Linux machine. During build operation files are read from a source location and files are to be copied to a new destination location.The source and destination locations are input by the user from Jenkins UI. I want the user to be able to select any folder located within his/her home folder as source or destination. For example: /home/jdoe/folder.
Currently, any folder inside /var/lib/jenkins, with jenkins:nogroup user-group, can be selected. However, a folder inside /home/jdoe/folder with same (jenkins:nogroup) user-group, and with the same permissions as the folders within /var/lib/jenkins, cannot be selected. I get a permission denied error on trying to read or write inside /home/jdoe/folder.
What can I do to enable reading and writing to a folder within the home folder of the currently logged in user? Can I set up Jenkins in a certain way to be able to do that, or do I have to change group settings for the home folder?Could you suggest a good configuration for me to be able to make this work?
Would there be any difference in using Jenkins on an Windows platform?
First make sure that the folder is having read-write access for jenkins user group.
sudo chmod -R 77 /home/jdoe
Also as in comment by Daniel, grant execute permission on the /home/jdoe folder.
sudo chmod a+x /home/jdoe

what permissions should jenkins have to execute shell-commands without being insecure?

I have a script (test.sh) on a local server, which works fine when executed in a terminal. The script removes a directory, and recreates a directory local. It then connects to a remote server using "ssh -i $private_key .." and copies a file there.
When I execute this script in jenkins with
sh test.sh
it doesnt work. I get the following errors:
rm: .. Permission denied
mkdir: .. Permission denied
Warning: Identity file /.ssh/private_key not accessible: Permission denied.
Jenkins is on the same server as the script.
I see that Jenkins is another user and cant do everything that I'm doing as root; how can I set the permissions without losing all security. Especially in case of the private_key, it would be silly to set the permissions to easy - it is currently set to 600 (read and write permission for the owner) and the owner is root.
The whole point of setting the private key's permissions to 600 is that no other user should be able to access it. If you have placed the keys in another user's home directory (/home/anotheruser/.ssh), then neither the Jenkins user, nor anyone else (except root) will be able to access it. This is as designed.
If you want your Jenkins user to be able to use the private key, copy it over to the jenkins users home directory as well (/home//.ssh).
Also, if you are trying to delete/create directories in some other user's directory as the Jenkins user without providing permissions, you will get a permissions error. This is because of security. The only way to allow this is the allow the Jenkins user to make changes to those directories.
One safe option is to add the Jenkins user to the same group as the other user. Once you do this, set the permissions on the directories you want to read from and write to, to allow anyone in the user's group to make changes.
rwxrwx---
The above permissions will allow the owner of the folder and any other users in the same group to make changes, but will not allow anyone else. This is safe, since you control who is part of the other user's group.
EDIT
It looks like your error has changed, though. You're not getting permission denied any more. Can you still do it through terminal? The reason (I think) it is saying that the host key verification has failed is because your key was originally created for the other user. I realise I said to do this in the answer above, but it is not the right way.
As the jenkins user, can you run the following commands:
ssh-keygen (say yes or agree if it asks if you want to replace your current keys)
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser#remote_server
ssh remoteuser#remote_server
If this works, try your script through the terminal, and then through jenkins again...

Resources