tags:

views:

236

answers:

1
+1  Q: 

Git post-receive hook to update a local clone owned by a different user

Hello,

I'm trying to set up a git post-receive hook such that when a commit is received, another clone of the repository on the machine gets updated (i.e. does a git pull origin master). I'm using gitosis to serve the repository and as such I believe a post-receive hook will be run as the gitosis user, whereas the repository I want to update on a receive is owned by www-data. How should I go about doing this?

I've heard about setuid scripts but I'm not sure whether this might be a security risk? And if it's not a security risk, how would I go about doing this? I'm guessing I would do something like make the script owned by www-data and make it world-executable and enable the setuid bit? I guess this script would be pretty much harmless since all it does is update the repository, but I want to be sure. Thanks!

Edit: Is there any way to do this using sudo? Would that be more secure than setuid? I mean, I don't think there's much issue with setuid if the user isn't root, but all the same it seems like I'd have to jump through a few hoops to get a setuid script to run.

Second edit: It seems like I might be able to do this with some /etc/sudoers magic and sudo -u. Perhaps I should have posted this on ServerFault instead, but at least I've learned a bit from this endeavor.

+2  A: 

IMHO This should be on serverfault, but here's the answer nevertheless;

Add:

gitosis ALL=(www-data) NOPASSWD: /path/to/git

to /etc/sudoers

and run the command as sudo -u www-data <whatever the command is>

Kimvais  2009-12-23 07:50:20
Yeah, I kind of figured it was better suited for ServerFault after posting, but I usually saw git stuff here. Are you sure that line allows gitosis to run as www-data? I'm not sure that it does. Right now I'm trying to do something like this in /etc/suiders:gitosis ALL=(www-data) /path/to/scriptand the script does the git pull command.
Ibrahim  2009-12-23 08:22:21
Incidentally, how do you move a question like this to serverfault?
Ibrahim  2009-12-23 08:23:12
The moves are done by moderators.
Kimvais  2009-12-23 08:24:21
...and yes, you were correct, my sudoers example was wrong, sorry. Fixed now.
Kimvais  2009-12-23 08:31:54
Thanks! That seems to be exactly what I needed.
Ibrahim  2009-12-23 08:33:08
In this case when running a sudo -u www-data will request the password from gitosis, but originally gitosis user shouldn't have a password since it's base on id_rsa.pub is there any way to prevent the password to be requested?
ludicco  2010-01-29 12:03:14
@ludicco: `NOPASSWD:` in my `/etc/sudoers` line does exactly that.
Kimvais  2010-01-29 13:05:33

related questions

How to have two remote orgins for Git?
Why is branching and merging easier in Mercurial than in Subversion?
Is there a better way of writing a git pre-commit hook to check any php file in a commit for parse errors ?
Bug tracker setup with Git integration?
Does git have anything like `svn propset svn:keywords` or pre-/post-commit hooks?
git-stash vs. git-branch
Git "bad sha1 file" error
Should I use GitHub+Fogbugz or Assembla?
How do you remove a specific revision in the git history?
How do you organise multiple git repositories?
What is the Difference Between Mercurial and Git?
How do I restore files to previous states in git?
Is there anything like TortoiseCVS and TortoiseSVN for git?
Good Git repository viewer for Mac
Deploying a Git subdirectory in Capistrano
How to "unversion" a file in either svn and/or git
How can I graph the Lines of Code history for git repo?
Switch branch names in git
Migrating to GIT
How can I set up an editor to work with Git on Windows?
How do you deal with configuration files in source control?
Undoing a git reset --hard HEAD~1
Version Control. Getting started...
Why is Git better than Subversion?
Distributed source control options