Skip to main content

Running a privelaged script from a post-receive git hook on my server [Resolved]

Say I have the following workflow to deploy a new version of my webapp. It's a small app so all the build + deploy work is done on the same server (example.co)

  • A user executes git push which pushes new code up to my server (example.co)
  • The server has a bare git repository which receives the changes. It kicks off a post-receive hook
  • The post-receive hook runs a build script which builds a new docker container and starts it up

The git repository is managed by a dedicated git user on my server. This is so that any developer can add a git remote ssh url like ssh://git@example.co:/some/path.git and push up to it using SSH

The build and deploy work is done by a deploy user since this requires sudo permission.

How do I have my git user kick off a script as the deploy user? Should the git user even have any way to do that, because anyone could ssh into the machine under the git user right?

Is there a better way to segment these permissions?

Thanks!


Question Credit: user2490003
Question Reference
Asked October 4, 2019
Tags: , permissions
Posted Under: Network
14 views
1 Answers

You grant permission to the git user to run the script you want it to run as the deploy user:

git ALL=(deploy) NOPASSWD: /usr/local/bin/some-script ""

Should the git user even have any way to do that, because anyone could ssh into the machine under the git user right?

Well, for starters, hopefully not anyone can log into the machine, only people who have a legitimate need to access that account. Secondly, SSH as the git user should be triggering a forced command, so the people logging in shouldn't be able to trigger the deploy script arbitrarily. Finally, the script being invoked should be written in such a way that it can't do anything more damaging than "redpeloy known-safe code which already got deployed before", so there really shouldn't be any downside to someone being able to trigger the script repeatedly, other than perhaps resource exhaustion.


credit: womble
Answered October 4, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA