寻找一种运行php git post-receiveve钩子的安全方法
[英]Looking for a secure method of running a php git post-recieve hook
问题描述
I have a hook which executes a git pull but it fails when it needs to write added files. 
我有一个执行git pull的钩子,但是当它需要写入添加的文件时会失败。 The user it operates as is apache, and it can execute the git pull fine when write permissions are granted to it (via adding apache to a group with write access). 它以apache的方式运行的用户,并且在授予其写权限时(可以通过将apache添加到具有写访问权限的组中)向其执行git pull fine。
I have come up with a few solutions... 我想出了一些解决方案...
- keeping apache in the group with write permissions (feels insecure) 将apache保留在具有写权限的组中(感觉不安全)
- changing ownership of the files to apache (insecure and hacky) 将文件所有权更改为apache(不安全且hacky)
- using sudo (but that would require storing a password or having no password) 使用sudo(但是那将需要存储密码或没有密码)
- executing a chmod adding write for apache before and after the git pull's execution (hacky) 在git pull执行之前和之后执行chmod添加对Apache的写入(hacky)
However, all of these seem like either insecure/hacky solutions. 但是,所有这些似乎都是不安全/过分棘手的解决方案。
Please share any suggestions or methods you have used to get around these problems. 请分享您用来解决这些问题的任何建议或方法。 I am curious to hear any solution, especially if you've had to jump this hurdle yourself. 我很想听到任何解决方案,尤其是如果您不得不自己克服这一障碍时。
1 个解决方案
解决方案1
1 2013-02-06 23:15:31
Another solution (possibly old-school) is to create a setuid program to perform the actual work, then run that setuid program from the hook. 另一个解决方案(可能是老式的)是创建一个setuid程序来执行实际的工作,然后从钩子中运行该setuid程序。
If you are running with SELinux, you may need to tweak the permissions to get the setuid program to run from the hook, given that the hook runs as the Apache user. 如果使用SELinux,则可能需要调整权限,以使setuid程序从该挂钩中运行,因为该挂钩以Apache用户身份运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.