git pull from CGI-Script ran by 'nobody'

Question

I've got a git repository on a webserver (Apache), which is set up inside the home-directory of user a.

git clone ssh://a@git_url:7999/path/to/repository/repo.git

The git-repository is hosted on a stash-server. The authentication works via an ssh-key for the user a.

Now I'm trying to build a CGI-script which shows me some excerpts from git log on that repository. That works pretty much, but I just can't seem to be able to git pull inside the CGI-script since it's not run by user a, but by user nobody. The user nobody has no permissions to read the contents of the git-repository cloned by a and doesn't have an ssh-key set up on the stash-server.

Is there a way to run git pull from within the CGI-script in a way that it "masks" as user a so that it's able to pull?

I'm afraid that this solution is not for me, since I'm not the administrator of the server in questions, thus I can't just install stuff on that, and it's questionable that the administrators will install and configure this just for me. — Vince, Sep 23 '13 at 09:13

score 0 · Answer 1 · edited May 23 '17 at 12:08

You have at least three options.

Create a separate clone that nobody owns.
Modify the clone that a owns to be assigned to a group to which both a and nobody belong.
Create a cron job that runs as a to periodically run git fetch on the repository. Make the repository world-readable. You may need to modify your CGI program to operate in terms of origin/master rather than master, for example.

For options 1 and 2, you will need to arrange for nobody to have access to Stash. One possibility there is to create a passwordless (unencrypted) SSH key for nobody and add the public key to Stash for authorization. This does entail some risk: anyone who obtains a copy of nobody’s secret key can easily do whatever nobody can.

git pull from CGI-Script ran by 'nobody'

1 Answers1