Goal: update /var/www with latest on svn commit.
ubuntu server 10.10, latest apache2, latest svn, location: /var/svn/[projectname]
To do this I created a simple post-commit script:
#!/bin/bash
#tests if www-data user runs this script on commit (which it does)
touch /tmp/test.log
#works when run from the command line (sudo ./post-commit) but not when run by www-data
sudo /usr/bin/svn update /var/www
To fix the issue of the second command not working as www-data I tried...
Editing: sudo visudo and added (at the end): www-data ALL=(ALL) NOPASSWD:ALL
Chowning: /var/www to www-data:www-data
Chmoding: all of /var/www to 777
Still no luck... any ideas?
What if you run this:
su - www-data -c '/usr/bin/svn update /var/www'
(The sudo is not needed if /var/www/ is 777 and owned by www-data..)
As the root user? (then it suid()s as www-data and run the command).
It should give more information on what does actually fail.
Or, you could try logging the svn update output from your post-commit hook:
/usr/bin/svn update /var/www &> /tmp/my-svn-update.log
I think that these two tests should give you more informations on what happened.
SIDE NOTE: I'm not sure you really want to take the risk of having www-data able to run any command as the root user.. If you absolutely need to have it run svn as root (I don't see the point there, but it could be), just use this in your /etc/sudoers:
www-data ALL=NOPASSWD: /usr/bin/svn
I went first with the logging mechanism you suggested and that helped fix it! Thank you!
The outputted error had something to do with an filename in the repro which couldn't be converted to UTF-8. I deleted the file and it worked. But why it worked when calling post-commit directly... I've no clue.
BTW, I was mistaken about it being bash (it was sh) so I had to change &> to 2>
Also, I deleted the checked out files, reset the permissions and owner back to normal on /var/www and then checked them out again.
my final sudoers line:
www-data ALL=NOPASSWD:/usr/bin/svn update /var/www
Thanks so much for the help!
Related
Starting point:
Ubuntu 20.04
Gitolite (/home/git/)
Webspace /var/www/webspace (usually owned by www-data:www-data)
Git user (in www-data group and also tried without beeing in group)
I want to update the webspace as git user with post-receive to a www-data directory. I had it archived before I installed Gitolite, but it doesn't seem to work the same way as it did before (or I am missing something). To make it clear: post-receive is executed after pushing (which it's normally not on Gitolite) ... was a hard time too to archive that.
Edit: To make it clear: I want to archive that Git and www-data can access and modify the same files.
What Ive tried:
chmod 777 -R /var/www/webspace (after this git can access but nginx returns with 403?)
Adding Git-User to www-data group
chown www-data:git -R /var/www/webspace
chown git:www-data -R /var/www/webspace
chown git:git -R /var/www/webspace
chown www-data:www-data -R /var/www/webspace (with and without git inside group)(with and without 777)
Executing post-receive manually (Operation not permitted)
Executing post-receive manually as root (well ... works of course, but thats not the point)
... maybe also some steps more which Im maybe missing rn
What Ive noticed so far:
On the contrary to Git, Gitolite checks the repo out with -rw------ (If i remember correctly), maybe that is why its not working with gitolite but with Git
The code (not that it would be important, but just to list everything):
post-receive
#!/bin/sh
GIT_WORK_TREE=/var/www/webspace git checkout -f
Maybe Im just missing something, but please help me.
Try and follow "adding other (non-update) hooks" in order for Gitolite to call the relevant post-receive hook.
add this line in the rc file, within the %RC block, if it's not already present, or uncomment it if it's already present and commented out:
LOCAL_CODE => "$ENV{HOME}/local",
put your hooks into that directory, in a sub-sub-directory called "hooks/common":
# log on to gitolite hosting user on the server, then:
cd $HOME
mkdir -p local/hooks/common
cp your-post-receive-hook local/hooks/common/post-receive
chmod +x local/hooks/common/post-receive
run gitolite setup to have the hooks propagate to existing repos (repos created after this will get them anyway).
Add user (git in my case) to group of webspace (www-data for me)
sudo usermod -a -G www-data git
If you were logged in as user logout to reload the group.
logout
#or
exit
#or
CTRL+A+D
(If you want to recheck the group login as this user and type "groups" to see the groups the user is in)
Make sure the webspace is owned by the correct group. For me:
sudo chown www-data:www-data -R /var/www/webspace
(If you want to recheck this you can go in the directory and type "ls -g")
In my case I had to modify my "post-receive" a bit, because the permissions were always -rw----- after checking out, so here is my "post-receive":
#!/bin/sh
GIT_WORK_TREE=/var/www/webspace git checkout -f #default line to checkout
chmod -R a+r /var/www/webspace #added by me because of permission issues
For convenience I had my "post-receive" in the repo directory (/home/git/repositories/repo/hooks/post-receive). The docs tell you to create a new folder (/home/git/local/specific-hooks/repo/post-receive (but they tell to name it on your own))
*All paths, names, groups and permissions written above only apply to me. They may differ for you installation.
What really solved my problem:
Logout after you change groups
Change permission (chmod) in post-receive
I am new to linux and I am trying to clone a project into a folder that am currently in contained in opt/lampp/htdocs using the command git clone git#gitlab.com:whatever . but i am getting a permission denied error. What can i do to resolve this issue
update httpd.conf
sudo gedit /opt/lampp/etc/httpd.conf
Find
User nobody
Group nogroup
Replace nobody with your username
Change the ownership of htdocs
sudo chown -R username:username /opt/lampp/htdocs
Change the file permissions of htdocs folder
sudo chmod -R 775 /opt/lampp/htdocs/
Restart your machine
Clear your browser cache
You can also give the folder full permissions like this:
sudo chmod -R 777 /opt/lampp/htdocs/
or sudo chown -R $USER:$USER /opt/lampp/htdocs
I already have my username correctly wrote in user in the httpd.conf file, and still had the same problem. Finally, I found the solution changing the port number:
In the same file look for Local:8888 and change 8888 to 80
try to give full permission to your htdocs folder
sudo chmod 777 opt/lampp/htdocs
Then it will ask for password enter and go ahead. learn More Here :)
Permission denied is exactly what it says. You do not have permission to write to this folder. You can either git clone the repo as a root using sudo git clone (...) or change permissions to this folder. sudo chmod a+w <path> and then git clone it normally. You can also clone the repository to some other folder to which you already have permissions to write to.
I'm limiting permissions on a certain file, settings.py in my svn-linked directory so that it can only be read by sudo users and apache, which goes by the username, www-data. So, on settings.py, I've set sudo chmod 640 settings.py and sudo chown www-data:www-data settings.py. I still want my unprivileged users to be able to svn update and svn commit, so with sudo visudo, I've set
unprivileged_user ALL = /usr/bin/svn commit *, /usr/bin/svn update *, \
/usr/bin/svn update
so that this user can still do sudo svn commit and sudo svn update. It won't be able to do plain svn commit or svn update because of the limited permissions on settings.py. If the unprivileged user tries to do that, there will be a message from svn that says the working copy is locked. I've noticed however that when I do sudo svn update, the unprivileged_user is updating as root and as a result the file that are updated from the svn repository are now owned by root:root with 644 privileges. This goes against what I'm trying to with making settings.py owned by www-data:www-data. What can I do to make it so that www-data is always the owner and the rwx prvileges remain the same?
The www-data user will have a different UID on each system it is on, making it effectively a new user on each system. You cannot predict which user this will be so you cannot set the owner appropriately. Whoever checks it out will be the owner.
Furthermore, svn does not track permissions. It only tracks whether or not a file is executable. The permissions that the file comes with are determined by your umask.
Use an script instead which do the update and reset the permission.
svnupdate.sh:
#!/bin/bash
MY_PROJ_PATH=/home/.... # Put you path here
pushd $MY_PROJ_PATH
svn update $* && chown -R www-data. . && chmod 640 settings.py
popd
also make sure chmod 750 /usr/local/bin/svnupdate.sh to prevent security issue on sudo command
and also update the sudoeres files:
unprivileged_user ALL = /usr/bin/svn commit *, /usr/local/bin/svnupdate.sh
Here's what I have right now. I'm using a post svn update hook, and I don't know how secure it is. This is for svn update only. Please feel free to state your opinions on this.
In usr/local/bin, I create ssh-action.sh based off of this:
http://top-frog.com/2009/04/23/client-side-pre-and-post-svn-hooks-with-unix-aliases/
My actual ssh-action.sh looks like this:
#!/bin/bash
REAL_SVN='/usr/bin/svn';
BASE_PATH='/home/unprivileged_user/test_svn/';
$REAL_SVN $#;
wait;
# post-svn actions
if [ $1 = 'up' ] || [ $1 = 'update' ]; then
find -L $BASE_PATH -type f -name 'settings.py' -exec bash -c 'sudo chmod 0400 $0 && sudo chown www-data $0; sudo chgrp www-data $0' '{}' \;
fi
Then in sudo visudo, I add this to the bottom:
unprivileged_user ALL = NOPASSWD: /bin/chown www-data */test_svn/settings.py, /bin/chmod 0400 */test_svn/settings.py, /bin/chgrp www-data */test_svn/settings.py
Next, cd /home/unprivileged_user, open .bashrc , and add this to the bottom:
alias svn = /usr/local/bin/ssh-action.sh
Afterward, I need to make .bashrc immutable so that the unprivileged can't edit it to bypass my svn hook. I do this with sudo chattr +i .bashrc
With this hopefully whenever the unprivileged_user tries to svn update the test_svn working copy, settings.py will be owned by www-data:www-data with 400 permissions. What do you guys think? Are there any security flaws here? Thanks.
I recently installed LAMP on my Ubuntu 14.04 laptop. But I didn't have full/root access to the files var/www and etc/apache2/sites-enabled/000-default.conf so I did some research to change permissions and admissions to the directory, using this command in the terminal:
sudo chown -R username:group directory
It worked perfectly. But now I can't do any sudo commands in the terminal. I wanted to restart the apache server but here is what it showed me:
sudo: /etc/sudoers is owned by uid 1000, should be 0
sudo: no valid sudoers sources found, quitting
sudo: impossible d'initialiser le greffon de règles
(my computer is in french btw).
What I want to know is how to set it back to sudo. I hope I explained myself good enough. If you need additional info that I didn't state please tell me. I will add it. Thnx.
Seems like you chown'd /etc/sudoers.
Try:
sudo chown root:root /etc/sudoers
Then if you want read/write privileges, see which group the folder /var/www belongs to (probably www-data)
To add yourself to the www-data group, try:
sudo useradd -a -G www-data yourUserName
Also, as a side note; be careful of recursive commands!!! If you're not sure what a command does, test it on a single file before making it recursive. For example:
DO NOT RUN THIS CODE, I DON'T INCLUDE SUDO ON PURPOSE SO YOU DONT HOSE EVERYTHING
rm -r /
Will delete everything inside / (a lot of stuff!)
/etc/apache2/sites-available/000-default.conf
What should I do to access this file
I want to change DocumentRoot From /var/www/html To /var/www
First check to see who owns the file:
ls -l /etc/apache2/sites-available/000-default.conf
It should probably be something like www-data. For the rest of this answer I assume the user is www-data, replace it with the correct user on your system.
Verify you have permissions to act as that user, e.g.:
sudo -u www-data id
This command just runs the id command as the www-data user, you may have to enter a password.
Edit the file as the owner of the file:
sudo -u www-data vi /etc/apache2/sites-available/000-default.conf
(or emacs or nano or whatever your favorite editor is).
If none of that works, the file permissions might be messed up, for example maybe the user of the file is not allowed to write to it. In that case posting the output of:
ls -l /etc/apache2/sites-available/000-default.conf
may be helpful in resolving your issue, but you probably can't go wrong by doing a:
sudo -u www-data chmod o+rw /etc/apache2/sites-available/000-default.conf
This grants the owner read and write permissions on the file, then try the edit again.
If none of that works please post the exact command you are running, and the exact error message.
You need to access this file as a root user. Issue the command
sudo -s
to get a root shell, then edit that file with the editor of your choice.
Just run this command and you can edit that file
gedit admin:///etc/apache2/sites-available/000-default.conf