Git post-receive hook to update a local clone owned by a different user

Asked 23/12, 2009 at 7:6 Answered 21/6, 2012 at 17:35

I'm trying to set up a git post-receive hook such that when a commit is received, another clone of the repository on the machine gets updated (i.e. does a git pull origin master). I'm using gitosis to serve the repository and as such I believe a post-receive hook will be run as the gitosis user, whereas the repository I want to update on a receive is owned by www-data. How should I go about doing this?

I've heard about setuid scripts but I'm not sure whether this might be a security risk? And if it's not a security risk, how would I go about doing this? I'm guessing I would do something like make the script owned by www-data and make it world-executable and enable the setuid bit? I guess this script would be pretty much harmless since all it does is update the repository, but I want to be sure. Thanks!

Edit: Is there any way to do this using sudo? Would that be more secure than setuid? I mean, I don't think there's much issue with setuid if the user isn't root, but all the same it seems like I'd have to jump through a few hoops to get a setuid script to run.

Second edit: It seems like I might be able to do this with some /etc/sudoers magic and sudo -u. Perhaps I should have posted this on ServerFault instead, but at least I've learned a bit from this endeavor.

Relativity answered 23/12, 2009 at 7:6 Comment(0)

IMHO This should be on serverfault, but here's the answer nevertheless;

Add:

gitosis ALL=(www-data) NOPASSWD: /path/to/git

to /etc/sudoers

and run the command as sudo -u www-data <whatever the command is>

Tanka answered 23/12, 2009 at 7:50 Comment(6)

Yeah, I kind of figured it was better suited for ServerFault after posting, but I usually saw git stuff here. Are you sure that line allows gitosis to run as www-data? I'm not sure that it does. Right now I'm trying to do something like this in /etc/suiders: gitosis ALL=(www-data) /path/to/script and the script does the git pull command. – Relativity 23/12, 2009 at 8:22

Incidentally, how do you move a question like this to serverfault? – Relativity 23/12, 2009 at 8:23

...and yes, you were correct, my sudoers example was wrong, sorry. Fixed now. – Tanka 23/12, 2009 at 8:31

Thanks! That seems to be exactly what I needed. – Relativity 23/12, 2009 at 8:33

In this case when running a sudo -u www-data will request the password from gitosis, but originally gitosis user shouldn't have a password since it's base on id_rsa.pub is there any way to prevent the password to be requested? – Mendelsohn 29/1, 2010 at 12:3

@ludicco: NOPASSWD: in my /etc/sudoers line does exactly that. – Tanka 29/1, 2010 at 13:5

Notice that I'm using git username, so, if you are using gitosis or any other username, just fill in your's!

In console with root user execute this command:

visudo

The "vi" editor will be opened. Add these lines:

Defaults:git    !authenticate
git ALL=(www-data) ALL

In result the file (that is opened in "vi" editor by calling "visudo") should look like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults    env_reset
Defaults:git    !authenticate

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
git ALL=(www-data) ALL


# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

Then press CTRL+O to save the file, then press Enter to accept the filename (bla bla bla), then press CTRL+X to close the "vi" editor.

Voila! Now git user can execute commands as www-data user:

sudo -u www-data git pull origin master

Trela answered 21/6, 2012 at 17:35 Comment(0)

Recommended topics

Hot tags