2

Just got gitolite installed on my webserver and am trying to get a post-receive hook that can point the git dir in apache's direction.

This is what my post-receive hook looks like. Got this script from the Using Git to manage a web site.

#!/bin/sh
echo "post-receive example.com triggered"
GIT_WORK_TREE=/srv/sites/example.com/public git checkout -f

I've also tried:

#!/bin/sh
echo "post-receive example.com triggered"
unset GIT_INDEX_FILE
export GIT_WORK_TREE=/srv/sites/example.com/public
export GIT_DIR=/home/git/repositories/example.com.git
git checkout -f

This is the error response i'm getting back from git push origin master from my local workstation. These are files from within my repository.

remote: post-receive example.com triggered
remote: error: unable to create file .htaccess (Permission denied)
remote: error: unable to create file .tm_sync.config (Permission denied)
remote: fatal: cannot create directory at 'application': Permission denied

Standalone script error

remote: sudo: no tty present and no askpass program specified
remote: Sorry, try again.
remote: sudo: no tty present and no askpass program specified
remote: Sorry, try again.
remote: sudo: no tty present and no askpass program specified
remote: Sorry, try again.
remote: sudo: 3 incorrect password attempts

Update:

git@vannevar:~$ sudo -l
Matching Defaults entries for git on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User git may run the following commands on this host:
    (root) NOPASSWD: /usr/local/sbin/prgetsimpleappscom
git@vannevar:~$ /usr/local/sbin/prgetsimpleappscom
-su: /usr/local/sbin/prgetsimpleappscom: Permission denied
git@vannevar:~$ sh /usr/local/sbin/prgetsimpleappscom
post-receive getsimpleapps.com triggered
error: unable to unlink old 'application/config/development/database.php' (Permission denied)
error: unable to unlink old 'application/config/production/database.php' (Permission denied)
error: unable to unlink old 'application/config/quickbooks.php' (Permission denied)
git@vannevar:~$ sudo sh /usr/local/sbin/prgetsimpleappscom
[sudo] password for git: 
Sorry, user git is not allowed to execute '/bin/sh /usr/local/sbin/prgetsimpleappscom' as root on vannevar.
git@vannevar:~$ sudo /usr/local/sbin/prgetsimpleappscom
[sudo] password for git: 
sudo: /usr/local/sbin/prgetsimpleappscom: command not found
git@vannevar:~$ nano /usr/local/sbin/prgetsimpleappscom
git@vannevar:~$
ThomasReggi
  • 55,053
  • 85
  • 237
  • 424
  • Does the userid that your `git-daemon` (or whatever in `gitolite` serves the same purpose) runs under have write permission in `/srv/sites/example.com/public` and permission to overwrite things that might already be there? – twalberg Jun 26 '12 at 18:46
  • I feel so silly. No, it's root:root. I'll try to run a `chown git:git public/`? – ThomasReggi Jun 26 '12 at 18:49
  • 1
    Honestly, since this is your web instance, I'd probably leave it `root:root`, and then do make your current hook script a standalone script, e.g. `/usr/local/sbin/checkout-site`, and make a new hook that calls `sudo /usr/local/sbin/checkout-site` (with appropriate modifications to `/etc/sudoers`, of course). Better yet, use a third non-root account to own your web data. But `chown` or `chmod` solutions might be acceptable for the immediate need... – twalberg Jun 26 '12 at 18:54
  • Yeah, it cause apache to throw a http 403 error. I have three account `git`,`thomas`, and `root`. I `chown`'d `public/` back to `root`. I just created that standalone script. I'm new to linux / server stuff so not familiar with `/etc/sudoers/`. By "third non-root account" do you mean `thomas`? Thanks for your help so far. – ThomasReggi Jun 26 '12 at 19:00
  • 1
    I would probably create a separate non-root account, e.g. `web` (actually, chances are there's already one created when you installed the system), whose sole purpose is to be the owner of the web site contents. Probably wouldn't hurt to then also configure Apache to run as that user. Proper separation of roles/privileges is a useful concept in promoting security. – twalberg Jun 26 '12 at 19:13
  • It turns out that when i chmod'd the public folder it was showing that 403 error because the permissions of the files in my repo have been altered. Any idea why? – ThomasReggi Jun 26 '12 at 19:21
  • The `public` folder is not my only issue now. I needed to use `git config core.filemode false` to maintain permissions that are compatible with the web server. As a result of using that, I the user for all the files in the work tree possess the user root:root and my git user can't alter these. I don't know exactly how to use `etc/sudoers` or if that will fix this. Any help would be nice. The standalone script is giving the error above. – ThomasReggi Jun 26 '12 at 22:24
  • Assuming the user that your `git-daemon` runs under is `git`, a line in `/etc/sudoers` that says `git ALL = (root) NOPASSWD: /usr/local/sbin/checkout-site` says that the user `git` can run that script as `root` without supplying a password. The critical thing is that you *must* edit `/etc/sudoers` with the `visudo` command, running as `root`. Once that's done, the `git` user should be able to run `sudo /usr/local/sbin/checkout-site`. – twalberg Jun 27 '12 at 13:52
  • I updated the post with straight console output, I don't get it. I hope this sheds some light on something. – ThomasReggi Jun 27 '12 at 14:54
  • Try it without the `sh` - `sudo` says you have the permission to run `prgetsimpleappscom` not `sh prgetsimpleappscom`. If necessary, add a `#!/bin/sh` line as the first line in the script, and `chmod +x` it. – twalberg Jun 27 '12 at 15:03
  • I did `sudo: /usr/local/sbin/prgetsimpleappscom: command not found` in that update. I just posted it, got it all working (I hope). Using `sh` in hook and in `sudoers`. – ThomasReggi Jun 27 '12 at 15:06

1 Answers1

1

This is how I got it working:

Changed post-receive to:

sudo sh /usr/local/sbin/prgetsimpleappscom

Changed sudoers with visudo

git ALL = (root) NOPASSWD: /usr/local/sbin/prgetsimpleappscom
git ALL = (root) NOPASSWD: /bin/sh
git ALL = (root) NOPASSWD: /bin/sh /usr/local/sbin/prgetsimpleappscom

Confirm visudo worked

git@vannevar:~$ sudo -l
Matching Defaults entries for git on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User git may run the following commands on this host:
    (root) NOPASSWD: /usr/local/sbin/prgetsimpleappscom
    (root) NOPASSWD: /bin/sh
    (root) NOPASSWD: /bin/sh /usr/local/sbin/prgetsimpleappscom

run:

sudo sh /usr/local/sbin/prgetsimpleappscom
post-receive getsimpleapps.com triggered

and:

$ git push origin master
remote: post-receive getsimpleapps.com triggered
ThomasReggi
  • 55,053
  • 85
  • 237
  • 424