Login/Register
php run git got "ssh Permission denied"
Asked Answered
Solved phpgitsshassembla
F

4

6

I'm trying to run git pull in a php script from a browser, but I got "sh: connect to host git.assembla.com port 22: Permission denied"

my php script:

<?php
$output=array();
$returnVar=0;
chdir("/var/www/html");
exec('git pull [email protected]:andrewadel.git master 2>&1', $output , $returnVar);
// exec('pwd', $output , $returnVar);
echo "<pre>\n";
echo "return status: $returnVar\n\n";
print_r($output);
echo "</pre>\n";

when I manually run the script as "apache", everything is fine

bash-4.1$ whoami
apache
bash-4.1$ php gitsync.php
<pre>
return status: 0

Array
(
    [0] => From git.assembla.com:andrewadel
    [1] =>  * branch            master     -> FETCH_HEAD
    [2] => Already up-to-date.
)
</pre>

When I run it from a browser, it fails

http://103.7.164.33/gitsync.php?111

return status: 1

Array
(
    [0] => ssh: connect to host git.assembla.com port 22: Permission denied
    [1] => fatal: The remote end hung up unexpectedly
)

Thanks

Fanning answered 11/9, 2012 at 13:22 Comment(1)
Then, in php run exec('ssh -v [email protected] 2>&1', $output , $returnVar); ----------------------- return status: 255 Array ( [0] => OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 [1] => Pseudo-terminal will not be allocated because stdin is not a terminal. [2] => debug1: Reading configuration data /etc/ssh/ssh_config [3] => debug1: Applying options for * [4] => debug1: Connecting to assembla.com [64.250.188.41] port 22. [5] => debug1: connect to address 64.250.188.41 port 22: Permission denied [6] => ssh: connect to host assembla.com port 22: Permission denied )Fanning
P
4

A lot of variables here... but I faced pretty much exact same behavior with a remote cgi script I was working on.

In my case the issue was related to SELinux on CentOS.

user@remoteserver:~$ getsebool -a | grep httpd

Showed:

...
httpd_can_network_connect --> off
...

Test Possible Fix(sudo or run as root):

user@remoteserver:~$ setsebool httpd_can_network_connect=1
//...then initiate your serverside script remotely

Permanent Fix(if above has proven effective):

user@remoteserver:~$ setsebool -P httpd_can_network_connect=1

-P option ensures subject SELinux boolean value is set to specified value as default on future reboots. See: man getsebool and man setsebool

Privilege answered 19/9, 2012 at 6:40 Comment(0)
T
1

Is your webserver and PHP installation enforced by Suhosin, safe-mode, Apparmor or other security mechanisms?

And I recommend trying PHP-Git bindings like php-git if you're doing more operations. That module is designed for working with Git in PHP code.

Trump answered 11/9, 2012 at 13:31 Comment(0)
A
1

Apache would run the script as the 'nobody' user. Your script relies on having the private key most likely stored at ~apache/.ssh/id_rsa

The failure is that git can't access that key and isn't able to authenticate itself against the git server.

The solution is to specify the correct key to use and make that key accessible to the user that is executing the script.

Read this for how to specify the key:

Specify private SSH-key to use when executing shell command with or without Ruby?

Take a look here for an approach to running as a different user:

https://serverfault.com/questions/226374/how-to-run-php-files-as-another-user-with-apache-and-fastcgi

I would not recommend running as nobody (since then the nobody user has access to your private key), or as apache (since then you are increasing the damage that could be done should an exploit be found for your site). Therefore you should create a different user with the minimal permissions to read your private key and execute the git command. It may not be necessary to specify the key if you just create a limited user account for this and put the keys (public/private) into ~/.ssh

Alamode answered 11/9, 2012 at 13:59 Comment(2)
I don't think this is the root cause, because the error is that ssh gives a permission denied on opening the connection. The error is not about authentication failed. Therefore, I think it's some other permission issue or security mechanism in action for PHP - see my answer.Trump
I think that is true actually. I was thrown off by the error's similarity to a ssh connection denied error, but it looks like there is some sort of sandbox present to prevent exploited scripts from making external connections. At a guess the key thing will be the second thing that goes wrong.Alamode
D
0

Is this a permissions issue? A PHP script would be run as the nobody user most likely, which may not have permissions to run the git command.

Dante answered 11/9, 2012 at 13:23 Comment(3)
Excuse me, how can I check which user php runs as?Fanning
That would depend on how the PHP script is being executed. You could do a ps aux | grep scriptName.php if the script is actively running.Dante
Or just $var=exec("env", $output, &returnvar)Alamode

© 2022 - 2024 — McMap. All rights reserved.