在nginx和php-fpm环境中使用git post-receive hook [英] Using git post-receive hook with nginx and php-fpm environment
问题描述
我有一个用git,gitosis,nginx和php-fpm设置的CentOS 6服务器。
使用我们的设置,nginx通过php-fpm执行php脚本,因为我们不希望出现这样的情况,即如果一个站点受到攻击,所有的站点都会受到攻击,因此出于安全目的(即,并非所有用户都在nginx:nginx下) p>
我们的环境很好,但是,当涉及到git时,php-fpm创建了一个基本问题。
在本地成功运行以下命令:
$ git push来源
我的post-receive钩子正在运行:
#!/ bin / sh
GIT_WORK_TREE = / var / www / vhosts / example.com / httpdocs git checkout -f
通常情况下,这会将repo的内容复制到httpdocs文件夹中,但是由于安装了php-fpm并且目录+文件归属于特定用户,gitosis(或任何其他非root用户)无法写入目录。这是由以下错误:
remote:error:git checkout-index:无法创建文件index.php(权限被拒绝)
它是有道理的,这就是我所期望的。但是,我想知道在这个特定情况下是否有办法解决这个问题?有没有一种方法可以修改post-receive钩子以root身份运行(它目前由 gitosis 用户运行)或以某种其他方式运行,以便它成功?
要明确:设置没有其他问题,git工作正常,nginx / php-fpm工作正常,但这是一个权限问题,我我不太清楚如何解决。
您可以使用 sudo 让钩子以 user1 , user2 , user3 或任何您的系统需要。您需要考虑让 gitosis 用户能够伪装成您的网络用户的安全隐患,即使在有限的范围内也是如此。
示例配方
考虑到 post-receive 钩子以用户 gitorious 运行,并假设您的Web用户被称为 user1 , user2 , user3 etc ...
将当前的post-receive钩子移动到 /usr/local/sbin/update-user1.sh 或其他适合的位置,并确保它是可执行的。
添加一些东西像这些行 / etc / sudoers :
gitosis localhost =( user1)NOPASSWD:/usr/local/sbin/update-user1.sh
gitosis localhost =(user2)NOPASSWD:/usr/local/sbin/update-user2.sh
gitosis localhost =(user3) NOPASSWD:/usr/local/sbin/update-user3.sh
... etc ...
然后你的post-receive钩子 user1 可能会变成类似于:
sudo -u user1 /usr/local/sbin/update-user1.sh
同样对于其他用户。
未经测试,所以请在实施前测试!
I have a CentOS 6 server set up with git, gitosis, nginx, and php-fpm.
With our setup, nginx executes php scripts via php-fpm, which is configured on a per-site basis to run as a specific user for security purposes (i.e. not all under nginx:nginx) since we don't want the situation where if one site is compromised, all sites are compromised.
Our environment works great, but, when git is involved, php-fpm creates a fundamental issue.
Upon successfully running the following command locally:
$ git push origin
My post-receive hook is run:
#!/bin/sh
GIT_WORK_TREE=/var/www/vhosts/example.com/httpdocs git checkout -f
Normally, this would copy the contents of the repo into the httpdocs folder, however since php-fpm is installed and the directory+files are owned by a specific user, gitosis (or any other non-root user) can not write to the directory. This is made evident by the following error:
remote: error: git checkout-index: unable to create file index.php (Permission denied)
It makes sense, and that is what I would expect. However, I am wondering if there is a way to get around this issue in this specific case? Is there a way I can modify the post-receive hook to run as root (it is currently run by the gitosis user) or in some other fashion in order for it to succeed?
Just to be clear: there are no other problems with the setup, git works fine, nginx/php-fpm work fine, but this is a permissions issue which I am not quite sure how to get around.
You could use sudo to get the hook to run as user1, user2, user3, or whatever your system needs. You would need to consider the security implications of having the gitosis user able to masquerade as your web users, even if to a limited extent.
Example recipe
Given that the post-receive hook runs as user gitorious and assuming your web users are called user1, user2, user3 etc...
Move your current post-receive hook into /usr/local/sbin/update-user1.sh, or some other suitable place, and make sure it's executable.
Add something like these lines to /etc/sudoers:
gitosis localhost = (user1) NOPASSWD: /usr/local/sbin/update-user1.sh
gitosis localhost = (user2) NOPASSWD: /usr/local/sbin/update-user2.sh
gitosis localhost = (user3) NOPASSWD: /usr/local/sbin/update-user3.sh
... etc ...
And then your post-receive hook for user1 could become something like:
#!/bin/sh
sudo -u user1 /usr/local/sbin/update-user1.sh
Similarly for other users.
Untested, so please test before implementing!
这篇关于在nginx和php-fpm环境中使用git post-receive hook的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
