Login/Register
What user runs the git hook?
Asked Answered
Solved githook
P

2

28

I have a post-update hook on my server, such that when I 

git push

it does a pull on the live web directory. However, while the push always succeeds, the post-update hook sometimes fails.

The hook is pretty simple:

#!/bin/sh
#
# An example hook script to prepare a packed repository for use over
# dumb transports.
#
# To enable this hook, rename this file to "post-update".
cd /var/www
env -i git pull

I'm pushing updates from a variety of places, but sometimes I have to login as root on the server and manuall do a 

env -i git pull

I only have to do it 20% of the time though. Any ideas why it would fail randomly? Also, how would I get it to log error messages, since it might be running as someone who can't write to the file system?

Pontormo answered 13/4, 2010 at 4:26 Comment(4)
Are you pushing in the same way from all of those places? That is, is the remote URL the same for all of them? (in particular, the user@hostname portion)Zeke
Also, when you say it fails, do you actually mean it fails with a permission denied error that indicates it's running as a user with insufficient privileges? Or is it failing for some completely unrelated reason, nothing to do with the uid running it?Zeke
I'm actually pushing from different places: sometimes it's user1@hostname, othertimes, user2@hostname, etc (they all have this problem though). It fails without an error message that I can see, and I'm not sure how to get one. In my post-update, I added, > echo $USER > /log.txt, but nothing is written there (nor is the file created). This makes me think the user pushing, has no permissions. But if I can't even write an error message, how will I know?Pontormo
Just as the user pushing needs write permissions in the repository, they need execute permissions in the hooks directory. That's enough to check (before trying your cd ... git pull) if the user has sufficient permissions to run the rest of the script, and if not, print an error and exit cleanly.Zeke
Z
20

The hooks are run as the user doing the push. If you have some kind of pre-made setup, that may be a user like git or gitosis, or it may be you. Just look at how you have the remote configured. (git remote show <remote-name> or just examine .git/config if you don't know) Presumably you're pushing via SSH, and there's a username@hostname in the URL.

P.S. It's pretty quick to demonstrate this - just clone a repo locally, throw a post-update hook in with an echo $USER or something similar, and try pushing as yourself or a different user (directly or through ssh).

Zeke answered 13/4, 2010 at 4:31 Comment(0)
P
4

I decided to test this on my gitlab 6 server by creating a pre-receive hook and echoing out the user information

$ cat /home/git/repositories/foo/foo.git/hooks/pre-recieve
#!/bin/bash
set -x
echo -e "The user the hook is run as is $USER"
echo -e "Just to doublecheck, the user is $(whoami)"
exit 1

It looks like it is run as the git user

$ git push 
Counting objects: 3, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 269 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: + echo -e 'The user the hook is run as is'
remote: The user the hook is run as is
remote: ++ whoami
remote: + echo -e 'Just to doublecheck, the user is git'
remote: Just to doublecheck, the user is git
remote: + exit 1
Poling answered 15/9, 2014 at 21:43 Comment(1)
The reason is that all such servers configure one unix user to accept the incoming ssh connections via the ~git/.ssh/authorized_keys file. That file delegates such connections to a script which then deals with the incoming data. For such servers one can derive the name of the person doing the push, e.g. by assuming it's the same person that did the most recent commit. However this may not hold true at all. Depends on the work model of the users. Better to just check or report the author/committer on individual commits.Nadabas

© 2022 - 2024 — McMap. All rights reserved.