在nginx和php-fpm环境中使用git post-receive hook [英] Using git post-receive hook with nginx and php-fpm environment
问题描述
我有一个用git,gitosis,nginx和php-fpm设置的CentOS 6服务器。
使用我们的设置,nginx通过php-fpm执行php脚本,因为我们不希望出现这样的情况,即如果一个站点受到攻击,所有的站点都会受到攻击,因此出于安全目的(即,并非所有用户都在nginx:nginx下) p>
我们的环境很好,但是,当涉及到git时,php-fpm创建了一个基本问题。
在本地成功运行以下命令:
$ git push来源
我的post-receive钩子正在运行:
#!/ bin / sh
GIT_WORK_TREE = / var / www / vhosts / example.com / httpdocs git checkout -f
通常情况下,这会将repo的内容复制到httpdocs文件夹中,但是由于安装了php-fpm并且目录+文件归属于特定用户,gitosis(或任何其他非root用户)无法写入目录。这是由以下错误:
remote:error:git checkout-index:无法创建文件index.php(权限被拒绝)
它是有道理的,这就是我所期望的。但是,我想知道在这个特定情况下是否有办法解决这个问题?有没有一种方法可以修改post-receive钩子以root身份运行(它目前由 gitosis
用户运行)或以某种其他方式运行,以便它成功?
要明确:设置没有其他问题,git工作正常,nginx / php-fpm工作正常,但这是一个权限问题,我我不太清楚如何解决。
您可以使用 sudo
让钩子以 user1
, user2
, user3
或任何您的系统需要。您需要考虑让 gitosis
用户能够伪装成您的网络用户的安全隐患,即使在有限的范围内也是如此。
示例配方
考虑到 post-receive
钩子以用户 gitorious
运行,并假设您的Web用户被称为 user1
, user2
, user3
etc ...
将当前的post-receive钩子移动到 /usr/local/sbin/update-user1.sh
或其他适合的位置,并确保它是可执行的。
添加一些东西像这些行 / etc / sudoers :
gitosis localhost =( user1)NOPASSWD:/usr/local/sbin/update-user1.sh
gitosis localhost =(user2)NOPASSWD:/usr/local/sbin/update-user2.sh
gitosis localhost =(user3) NOPASSWD:/usr/local/sbin/update-user3.sh
... etc ...
然后你的post-receive钩子 user1
可能会变成类似于:
sudo -u user1 /usr/local/sbin/update-user1.sh
同样对于其他用户。
未经测试,所以请在实施前测试!
I have a CentOS 6 server set up with git, gitosis, nginx, and php-fpm.
With our setup, nginx executes php scripts via php-fpm, which is configured on a per-site basis to run as a specific user for security purposes (i.e. not all under nginx:nginx) since we don't want the situation where if one site is compromised, all sites are compromised.
Our environment works great, but, when git is involved, php-fpm creates a fundamental issue.
Upon successfully running the following command locally:
$ git push origin
My post-receive hook is run:
#!/bin/sh
GIT_WORK_TREE=/var/www/vhosts/example.com/httpdocs git checkout -f
Normally, this would copy the contents of the repo into the httpdocs folder, however since php-fpm is installed and the directory+files are owned by a specific user, gitosis (or any other non-root user) can not write to the directory. This is made evident by the following error:
remote: error: git checkout-index: unable to create file index.php (Permission denied)
It makes sense, and that is what I would expect. However, I am wondering if there is a way to get around this issue in this specific case? Is there a way I can modify the post-receive hook to run as root (it is currently run by the gitosis
user) or in some other fashion in order for it to succeed?
Just to be clear: there are no other problems with the setup, git works fine, nginx/php-fpm work fine, but this is a permissions issue which I am not quite sure how to get around.
You could use sudo
to get the hook to run as user1
, user2
, user3
, or whatever your system needs. You would need to consider the security implications of having the gitosis
user able to masquerade as your web users, even if to a limited extent.
Example recipe
Given that the post-receive
hook runs as user gitorious
and assuming your web users are called user1
, user2
, user3
etc...
Move your current post-receive hook into /usr/local/sbin/update-user1.sh
, or some other suitable place, and make sure it's executable.
Add something like these lines to /etc/sudoers
:
gitosis localhost = (user1) NOPASSWD: /usr/local/sbin/update-user1.sh
gitosis localhost = (user2) NOPASSWD: /usr/local/sbin/update-user2.sh
gitosis localhost = (user3) NOPASSWD: /usr/local/sbin/update-user3.sh
... etc ...
And then your post-receive hook for user1
could become something like:
#!/bin/sh
sudo -u user1 /usr/local/sbin/update-user1.sh
Similarly for other users.
Untested, so please test before implementing!
这篇关于在nginx和php-fpm环境中使用git post-receive hook的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!