0

So I have a Laravel PHP app on Nginx on Ubuntu 20.04. I have a simple deploy.sh script that will:

  1. Put Laravel into maintenance mode, so it returns a 503 error if anyone visits the site
  2. Pulls down the current source from github using a read-only deploy key
  3. Runs a composer install
  4. Disables maintenance mode

My goal is to have this shell script be executed by Nginx when it receives a validated HTTP Webhook request from github saying there was new code pushed to the repository.

Now for server security the Nginx user "www-data" has just read access to the files, and write access only where needed (ie /storage to write logs and save file uploads).

So I am going to need the shell script to run as the user who owns all the files "deploy". I am a bit confused when I look into this.

I read about setuid but that is is disabled on shell scripts for security in most Linux environments. Can someone confirm is this is true of Ubuntu 20.04 and if so is there another way to accomplish what I need?

  • https://github.com/adnanh/webhook – Michael Hampton Mar 10 '21 at 23:25
  • I think all versions of the Linux kernel ignore the setuid flag on interpreted files programs (other UNIX flavours may differ). I found that you can probably [patch this on 3.x kernels](https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts). However, rather than making your system insecure, you could try `sudo`. It can be configured so that `www-data` is allowed to change its identity only for certain commands. – berndbausch Mar 10 '21 at 23:54
  • I went ahead and just setup the webhook service @Michael Hampton so far that seems to be the best solution. I am going to test proxying that though nginx so I don't even have to open up a new port and can piggy back off of my main site's SSL and cloudflare protection. –  Mar 11 '21 at 01:08

0 Answers0