Git Push & Checkout As A Non-Privileged User

back to tech articles
CentOS 6, Git 1.7.1

I’m a huge advocate for server security, as my other posts will testify to.

Today, I’m going to push code to a bare Git repo and then checkout that code using a post-receive hook. For this operation, SSH login has been disabled for the root user for obvious security reasons. Take the wizard’s staff, right?

Pushing to a repo as a non-privileged user can result in some frustration if the user doesn’t have sufficient privileges for the actions performed by the Git hooks.

The Goal

Sly, Bruce and Arnie are not root users. But, they want to push changes to the Planet Hollywood codebase and see the effect on the Planet Hollywood website. Seeing as they paid for it, we should let them! For example:

Non-Privileged User Repo

We need to allow them to push to the repo, even though we certainly don’t want them to have root access – srsly!

Some Alternatives

We could setup a shared repo like so and leave it at that:

1
$ git init --bare --shared=group

And that would work for different users who belong to the group. BUT, a post-receive action where the code is moved somewhere else afterwards will create a problem, since the user cannot create files on the server due to permission restrictions.

There are some Git tools that get around this problem, none of which I’m particularly fond of. However, they may be perfect for you, so check them out first (gitolite). Personally, I don’t need or want all that bloat and the following solution is loads easier.

Let’s work around our problem.

A Cleaner Solution

Firstly, we need that shared repo. We use a bare repo and our code is checked out using a post-receive hook to the codebase after every push.

1
$ git init --bare --shared=group

Now, we need to ensure that our user belongs to the group. I’m going to use the actionhero group, since actionhero group will own my codebase (where the Git hook will push my code after receive). In my case, actionhero group does not exist yet, so I’ll create it first. You can skip the first step if you have an actionhero group already 😉

1
2
$ groupadd actionhero
$ usermod -a -G actionhero jason

Now that the user jason belongs to our actionhero group, we need to set the permissions on the checkout destination (the codebase). We navigate to the codebase and run our chown command.

1
2
3
4
$ cd /var/www/
$ ls
site.com logs
$ chown -R actionhero:actionhero site.com/

Now actionhero owns the codebase for site.com Our post receive hook will checkout the code to /var/www/site.com after every code push to the repo. The files will be successfully checked out, since they are owned by actionhero.

Erm, it might be prudent to use the apache group, rather than actionhero 😉

For completeness, here’s my post-receive hook (chmod 0775):

1
2
#!/bin/sh
GIT_WORK_TREE=/var/www/site.com/ git checkout -f

That is all for now folks.

Leave a Reply

Your email address will not be published. Required fields are marked *