Can I create with git files owned by root without using root to push?
I use git user to push on the webserver. But /var/www is owned by root or www-data with no write access for other user.
I can pull in an other directory and use "hook/post-receive" but still this hook is executed with the git user...
For the moment I log in the webserver and do a sudo git pull origin. But it will be more efficient if I was hable to do a git pull server from my laptop.
Thanks
Just putting my comment here as answer, since as far as I know, it will completely fix the problem:
Make a symlink in /var/www to a map owned by the git user (e.g. /home/git/www). Then push your files to this /home/git/www map. No problems with permissions anymore.
My solution was to give all files to git by way of the www-pub group with read permission for everyone—except settings files with the MySQL password.
I push to /home/git/repository/project and checkout to /var/www/project using hook/post-receive.
Related
Here is a problem.
I create a new repository with
mkdir -p repositories/project.git
cd repositories/project.git
git init --bare --shared=all
The repository is at shared local folder. UMASK is 022.
Later on, folks in my team are able to clone the project and push a few changes.
However, soon they come across this issue when they try to do 'git push'.
error: unable to write sha1 filename ./objects/3c/c2f933427a4215d3237a0c3b874a4ff16725: Permission denied
To myaccountname#nameofthecomputer:/repositories/project.git
! [remote rejected] master -> master (unable to migrate objects to permanent storage)
error: failed to push some refs to 'myaccountname#nameofthecomputer:/repositories/project.git'
The problem is obviously in the way git creates some internal files/objects, because if I do:
sudo chmod -R 777 project.git
the problem is temporarily gone.
What am I doing wrong?
git init --shared=all makes the repository readable by all users, but not writable by all users. Making any directory writable by all users (without using the sticky bit) is generally a colossal security risk, so Git doesn't provide that as an option.
If you want people to all be able to write to a Git repository this way, then places them all in a single group, say git. Change the main repository and all of its subdirectories to have that group, and make each directory setgid. That means that each directory and file that's created will have the group git. Since with --shared=all, Git will make all files and directories writable by that group, users should be able to push normally to the repository.
Note that the umask is not relevant here, since Git will adjust the permissions to honor the setting you specified.
The title is general, but I have more specific questions. I am deep in a permissions nightmare trying to set up a "push-to-deploy" system using Git.
From my local machine, I push by SSH to the server (Ubuntu 14.04). I have the server set up as the remote
git remote add development devuser#development.server:/home/dummyuser/bare/repo.git
This bare repository is within the home folder of a dummy user dummyuser that we use to handle deployment tasks. devuser is my own account on the development server.
I have a post-receive hook set up within the remote repository (development.server:/home/dummyuser/bare/repo.git/hooks/post-receive) that's intended to deploy files via git checkout to a web server directory on the same server, call it webfolder/. That folder currently has permissions
drwxr-xr-x dummyuser www-data webfolder/
where www-data is the group associated with the Apache user.
If I have the post-receive hook script use the command
git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I get errors that it can't write to webfolder/, which is predictable since I assume the script is running as me (devuser) since I did the instigating push via SSH, and devuser doesn't have any permissions on webfolder/.
However, if I change the script to act as dummyuser,
sudo -u dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
just to see what happens, I have the error
warning: unable to access '/home/devuser/.config/git/attributes': Permission denied
There's a couple of things I don't understand about this:
1) Neither /home/devuser/.config/ nor /home/dummyuser/.config/ exist. That's fine, but if Git needs to access a .config/ folder, why wasn't it complaining before when I was setting up bare repos and executing hooks as devuser?
2) Now that I'm trying to act as dummyuser, why is Git looking in ~devuser/ for a .config/ folder? Why isn't it looking in ~dummyuser/?
I've been working on this tiny slice of one single problem in the maddening shitshow that is "using Git" for coming up on four hours now, and my brain is fuzzy, so please use small words.
The problem is something involving sudo -u dummyuser not setting the environment variables that Git expects. If I add HOME=/home/dummyuser to the post-receive hook, the deployment works as expected.
If anyone can provide more details about what's happening or a better solution, write it as an answer and I'll accept it. Couple of notes:
dummyuser doesn't have a login, so using sudo -iu dummyuser in the post-receive script won't work
After setting HOME=/home/dummyuser manually and successfully executing the script, I find that echo $HOME from the terminal returns /home/devuser, so there's no permanent change to $HOME
After successfully executing the hook script, neither ~devuser/ nor ~dummyuser/ nor /root/ have a .config/ folder. So... I still have no idea why Git was hung up on it.
Git expects a .config folder in the user's home directory. If $HOME isn't set correctly, e.g. if it points to a different user's home, Git will try to access $HOME/.config, not knowing that it actually doesn't even exist. However, since the user, and thus Git, doesn't have access to that $HOME, you will receive an error saying Permission denied.
To test that, try to run as dummyuser:
[ -d /home/devuser/.config ] && echo '.config exists!'
You're trying to test if the directory /home/devuser/.config exists. However, since you don't have the needed permissions, you get Permission denied, and you still don't know whether the directory exists or not.
Instead of setting $HOME manually, you could possibly use -H or --set-home:
sudo -Hu dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I installed redmine on git server (gitlab), which is our main git server (same machine).
When I add the repository (through gitlab) information in redmine web,
The redmine log says:
/usr/local/redmine/log/production.scm.stderr.log <
fatal: Not a git repository: '/data/gitlab/git-data/repositories/woojs/RedmineTestProject.git/'
But when I check the whether bare or non-bare using git command, I get this:
root#gitserver:/data/gitlab/git-data/repositories/woojs/RedmineTestProject.git# git rev-parse --is-bare-repository
true
I tried to change some things related to permissions: Changing owner to www-data and changing permissions to 777. It's still not working.
Similar to this old thread, check the account which runs for redmine: does that account has the right to access /data/gitlab/git-data/repositories/woojs/RedmineTestProject.git? (or anything under /data/gitlab/git-data/repositories/?)
This usually is a right access issue.
I would just like to start by saying I am completely new to git so I am probably doing things the wrong way but am trying to follow posts on here and guides online. I know this is probably a dumb post, but I am just a web designer so very basic with this stuff, would appreciate any advice about the way I am doing this, or if there is a better way.
I installed git on my centos vps and then setup my repository inside my website, location here:
/var/www/vhosts/server.userfarmer.com/userfarmer/userfarmer.git
The userfarmer folder before the .git folder is my main websites directory, I am trying to upload my website from my local machines via git to this folder. I set this up over ssh using:
mkdir userfarmer.git
cd userfarmer.git
git --bare init
I have then setup the git remote connection locally using:
git remote add origin root#serverip:/var/www/vhosts/server.userfarmer.com/userfarmer/userfarmer.git
now I can connect to this fine but each time I do I require my root password, is there anyway to save this so it is not needed each time I do a push.
Any advice greatly appreciated, this is all completly new to me,
Thanks,
Simon
On your server create a .ssh folder at root user home directory.
mkdir /root/.ssh/
Give it 700 permission.
chmod 7000 /root/.ssh/
Create a file named "authorized_keys" inside the .ssh folder and give it permission 600
touch /root/.ssh/authorized_keys
chmod 600 /root.ssh/authorized_keys
Now from your laptop:
Append your public key i.e loptop.pub content to authorized_keys.
cat ~/.ssh/laptop.pub | ssh root#serverip "cat >> ~/.ssh/authorized_keys"
you can open the file
.git/config
look for line
url=root#serverip:/var/www/vhosts/server.userfarmer.com/userfarmer/userfarmer.git
and add your password in format:
url=root:password#serverip:/var/www/vhosts/server.userfarmer.com/userfarmer/userfarmer.git
next time you open a repo, add it by writing
git remote add origin root:password#serverip:/var/www/vhosts/server.userfarmer.com/userfarmer/userfarmer.git
I am wondering if anyone has a better strategy for this scenario.
I am currently hosting my own remote git repo on the same box as the webserver.
All git repos are under the git user.
sudo -uwww-data -gwww-data git --git-dir=/var/www/website/.git --work-tree=/var/www/website pull
I have a cron job running as root every minute that executes this command. The git repo in the web folder is cloned from the same box to git's home dir where it's stored instead of through ssh.
So my question: Since git doesn't own the web files, it can't move the site using a git hook. I would assume I don't want git to have sudo, nor would that work via a git hook, right? Is there something that will deploy the site faster than every minute? I don't want the operation to be very expensive.
Is there some kind of daemon root could run and listen for some kind of notification? Like having it watch a file's last modified time?
Note that this article (in French, translated through Google) reports that sudo works with your approach:
change sudo to allow the gitosis user to use this command as www-data.
To do this, by running "visudo" add the line:
git ALL = (www-data) NOPASSWD: /usr/local/bin/pullhere
Then, in each repository where necessary, add the next hook in a post-receive file:
sudo -u www-data /usr/local/bin/pullhere /html/u/user/here
eg in / home/git/repositories/projet1.git/hooks/post-receive
This might interest you if you're still looking at a way to perform automatic deploys after a git push:
https://github.com/JamesBrooks/git-runner (with the git-runner-deploy gem).