git pull into web root

Discussion in 'ISPConfig 3 Priority Support' started by arraken, Jan 13, 2014.

  1. arraken

    arraken Member HowtoForge Supporter

    Hi!

    I have a question regarding git workflow and ISPConfig:
    We have a development-server with gitolite installed. All websites we develop are hosted there in git repositories.

    On my production webserver I have ISPConfig3 installed. Each developer from our company has a unix account on the production webserver (with sudo rights). My goal is to allow each developer, to move to web-folders (/var/www/some-website/web) and do a git clone/git pull there, to pull the repository from the development server to the web folder of the production server. They also should be able to "git push" changes back to the development server.

    However, the problem is that you only have permission to enter the web-folder as root. That means that any git pull or push is also executed with the root user's credentials, which is of course not ideal.

    So the question is: "Is there a way to allow my developer-users on the production server to use git in the web-folders of the different websites with their own credentials (e.g. private keys).

    Or is this approach generally a bad idea?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Just create the developer users within ispconfig as ssh users (without jailkit) and they will be able to do a git pull in the website. There are no root permissions required for that.
     
  3. arraken

    arraken Member HowtoForge Supporter

    But if I create them as ssh-users, they will only be able to do a git pull in one website right? I want my developers to be able to pull into any website folder, without creating a seperate ssh user for each developer and each website. Is that possible somehow?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    yes. Aseach website in ispconfig runs under a different Linux user and only this Linux user has write permissions to the website.

    One option might be to change the ispconfig apache plugin to allow writes to the web directory by the client groups, when you then add your ssh user to all client groups, then it might work.
     
  5. arraken

    arraken Member HowtoForge Supporter

    Ok, that sounds like a possible solution that isn't too hard to maintain. Could you give me a little pointer as to how and where to "change the ispconfig apache plugin " to allow write access for groups? I never really hacked ISPConfig code before.. :eek:
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The apache plugin is the file /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php-

    A few lines after line 690 (dont have the exact number as I have the dev version code here) you will find these lines:

    Code:
    $app->system->chmod($data['new']['document_root'], 0755);
    				$app->system->chmod($data['new']['document_root'].'/web', 0710);
    				$app->system->chmod($data['new']['document_root'].'/webdav', 0710);
    				$app->system->chmod($data['new']['document_root'].'/private', 0710);
    				$app->system->chmod($data['new']['document_root'].'/ssl', 0755);
    which set the permissions of the folders when a new website is created by ispconfig. To change the permissions of the web folder for new sites, change this line:

    $app->system->chmod($data['new']['document_root'].'/web', 0710);

    to e.g.:

    $app->system->chmod($data['new']['document_root'].'/web', 0750);

    but before you do the modifications, better try if the baove works for you by changing the web folder permissions of a existing web on the shell and add your users to the client group.
     
  7. arraken

    arraken Member HowtoForge Supporter

    Thanks Till! As always, a great help. :)

    I'll try it, and let you know how it worked out!
     

Share This Page