1

Following the instructions in A web-focused Git workflow I set up a prime and hub repository on my web server and then cloned the hub to my machine at home.

I started testing commits and pushes with changed files in documentroot and the changes would appear fine on the root of the webserver. However, when I tried to push a file in a subdirectory, I rec'd the following message:

remote:
remote: **** Pulling changes into Prime [Hub's post-update hook]
remote:
remote: From /home/git/site_hub
remote:  * branch            master     -> FETCH_HEAD
remote: error: unable to create file academy/testthegit2.html (Permission denied)

Again, no permission issues in the web root, but put a file in a subdir and an error is tossed.

The git user is in the apache group and the sub-directories are chmod 755.

Here is the hub's post-update:

#!/bin/sh

echo
echo "**** Pulling changes into Prime [Hub's post-update hook]"
echo

cd /usr/local/apache/htdocs || exit
unset GIT_DIR
git pull hub master

exec git-update-server-info

and the prime (document root's) post-update:

#!/bin/sh

echo
echo "**** pushing changes to Hub [Prime's post-commit hook]"
echo

git push hub

To reiterate, works in root, fails in subdir.

Thanks for any advice.

Ian
  • 251
  • 2
  • 10

1 Answers1

1

You need to add a wrapper to correct permissions on your post-update hook. Depending on how is your server setup, involves different steps. I'll describe my use case and hopefully you can adapt it to your needs.

In my server, the bare repositories (hub ones) are managed by gitosis/gitolite/plain git user with git-shell. Files under $GITOSIS_HOME are owned by gitosis:gitosis and are umasked 077.

For the changes to be pulled correctly, I needed to add a call to a helper script I'm storing in /usr/local/bin that recursively sets owner, group, permissions and SELinux context in the prime/live repository.

Incidentally, I also needed to add a line to my sudoers(5) file to allow gitosis to run the script as root with !requiretty and NOPASSWD.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • Thanks. Would it be as simple as adding the git user to sudoers and allowing it to run git pull hub master as apache? I guess I'm unclear on the workflow of changing the web root permissions if it can't create the file there. – Ian Apr 12 '13 at 23:44
  • Added git ALL=(apache) NOPASSWD: /usr/bin/git to sudoers. rec'd the following when I tried to push from my laptop. `remote: sudo: no tty present and no askpass program specified` `To ssh://git@example.com/~/site_hub` – Ian Apr 13 '13 at 01:01
  • in case it helps, the laptop I'm pushing from is running msysGit as the client. – Ian Apr 13 '13 at 03:43
  • You are still missing to override the `Default requiretty` for the git user `Default:git !requiretty` – dawud Apr 13 '13 at 08:37
  • No, it's there. These are the last two lines in my sudoer: `Defaults:git !requiretty`, `git ALL=(apache) NOPASSWD: /usr/bin/git` but it still doesn't work. (Just to clarify my sudoer file says Defaults, not Default.) – Ian Apr 13 '13 at 19:55
  • @Ian, last line should be `git HOSTNAME=(root)NOPASSWD: /path-to-helper-script-that-is-called/from/the/post-update-hook-of-the-hub/that/corrects-permissions – dawud Apr 13 '13 at 19:59
  • Ah, I actually hadn't written a helper script, was just trying to run git as apache. So do I take the post-update script I have above and put that into a new script which also calls the chmod and/or chown? Do those lines go after my git lines? – Ian Apr 13 '13 at 20:10
  • @Ian, what I do is call the script from the post-update hook; after your lines should be fine – dawud Apr 13 '13 at 20:18
  • Sigh. Despite the change in sudoers, I'm now getting `remote: hooks/post-update: line 2: /usr/bin/mygitdeployhelper.sh: Permission denied` – Ian Apr 13 '13 at 21:07
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8323/discussion-between-dawud-and-ian) – dawud Apr 13 '13 at 21:10
  • As I mentioned in chat, tired coding made me forget to call the help with sudo...which was a smack to the head considering I was working with sudoer. Thanks to dawud. – Ian Apr 13 '13 at 21:49