0

I'm trying to set up a simple PHP script that can do a git pull when you go to a particular URL on an AWS Amazon Linux 2 AMI test web server I have set up.

I ran into some issues trying to do that though, and have since been following this article to try to work things out: https://jondavidjohn.com/git-pull-from-a-php-script-not-so-simple/

I'm stuck on the step where the author says to run sudo -u www git pull.

In my system, apache is the Apache user that we need to do a git pull for in order to add the necessarily SSH key info, but it's not working. When I try to run the following:

sudo -u apache git pull

I get the following error:

Failed to add the host to the list of known hosts (/usr/share/httpd/.ssh/known_hosts).
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I don't know if this is an issue, but there is no .ssh directory under /usr/share/httpd. There is a known_hosts file under ~/.ssh, so maybe that's the one I need to worry about? I'm not really sure.

This very much feels like a permissions error (the error message suggests as much), but I'm really not sure what file where needs to be changed and how. Any advice would be greatly appreciated. Thank you.

HartleySan
  • 7,404
  • 14
  • 66
  • 119
  • 1
    By `~/.ssh` do you mean `/home/apache/.ssh`? Or which user do you log in with? Does the apache user have a shell configured? Which permissions does the apache user have on `/usr/share/httpd`? – ArSeN Mar 10 '20 at 18:14
  • Sorry for the lack of clarity. `~` is for `ec2-user`, the default user for AWS EC2 instances. There is no `/home/apache` dir. Also, the `/usr/share/httpd` dir has the following owner and group: `root:root`. – HartleySan Mar 10 '20 at 18:24
  • 1
    Last point is probably your problem then. `sudo -u apache` runs the command with the apache user, not with root. And if the `.ssh/known_hosts` is tried to be created inside of `/usr/share/httpd` the apache user wont have access to that. Depending on your security requirements you could just change the owner or permissions of /usr/share/httpd - but I would not recommend that on a publicly accessible server for obvious reasons – ArSeN Mar 10 '20 at 18:33
  • Thanks, ArSeN. Your comment helped me get rid of the first line in the error: `Failed to add the host to the list of known hosts (/usr/share/httpd/.ssh/known_hosts).` I was able to change the permissions back after that and it's still okay. I'm still getting the rest of the error though (from `Permission denied (publickey).` down). Any ideas? – HartleySan Mar 10 '20 at 19:11
  • 1
    `Permission denied (publickey).` Means that your public key is not listed on the remote you are trying to connect to (that means you are not using the proper private key). I'd make sure I'd put them into the same `.ssh` directory, should probably be called `id_rsa` on an Amazon Linux AMI. The fatal seems to be a subsequent error – ArSeN Mar 10 '20 at 19:41
  • Yes, that's what I was thinking, ArSeN. Thanks. I already have a key set up for `ec2-user` that's registered in Bitbucket and working fine. How do I set up a key for the `apache` user (or can I somehow use the same key)? Thank you. – HartleySan Mar 10 '20 at 19:54
  • 1
    SSH keys do not relate to the system user opening the connection. Just move your `id_rsa` file from the ec2-users .ssh directory to the one mentioned before – ArSeN Mar 10 '20 at 20:29

2 Answers2

0

Many thanks to ArSeN for walking me through the process in our comments back and forth above. What ultimately solved this for me was changing the permissions on the /usr/share/httpd dir where the apache user SSH key needs to go, and then copying the SSH key already in use by ec2-user over to that directory.

Here're the commands I ran:

sudo chown -R ec2-user:apache /usr/share/httpd
sudo chmod -R 777 /usr/share/httpd
sudo cp -r /home/ec2-user/.ssh/ /usr/share/httpd/.ssh/
sudo chown -R ec2-user:apache /usr/share/httpd
sudo chmod -R 755 /usr/share/httpd
sudo chown -R ec2-user:apache /var/www
cd /var/www/project-name/
sudo -u apache git pull
sudo chown -R ec2-user:apache /var/www

As you can see in the commands, for whatever reason, I had to run chown several times to get the user/group stuff set correctly, but ultimately it worked and I was able to get what I want. Thanks again, ArSeN.

HartleySan
  • 7,404
  • 14
  • 66
  • 119
0

Try removing know_hosts then re-try:

rm ~/.ssh/known_hosts

in case of insufficient permission:

sudo chmod -R 700  ~/.ssh/
Khoi Ngo
  • 941
  • 8
  • 16