How to execute commands as root in git post-receive hook

linux bash git sudo upstart
13,082

Solution 1

You need to separate the commands in your sudoers file using commas. Right now, you're authorizing a single command: /sbin/start myapp-service /sbin/stop myapp-service.

You need to write admin ALL=(ALL:ALL) NOPASSWD: /sbin/start myapp-service, /sbin/stop myapp-service.

Solution 2

Ok,I figured it out. I had to create a separate script containing only the commands I wanted to run as root.

#!/bin/bash
sudo /sbin/stop myapp-service
sudo /sbin/start myapp-service

Then, in my post-receive script do:

#!/bin/bash
export GIT_WORK_TREE=/var/www/current/myapp/
set -x
echo "Checking out new files on production and restarting app"
echo $USER
git checkout -f
sudo /home/admin/restart-myapp

And finally in my visudo:

%sudo   ALL=(ALL:ALL) ALL
admin   ALL=(ALL) NOPASSWD: /home/admin/restart-myapp

Hope this helps someone else

Solution 3

I have a file in /etc/sudoers.d/root_group that just has the line %root ALL=(ALL) NOPASSWD: ALL, and I add accounts to the group root to allow them to use sudo without a password.

I'm sure there are security implications for file permissions that didn't consider user accounts being in the group "root", but if you're concerned, a different group can be used. Just change the line to %my_new_group ALL=(ALL) NOPASSWD: ALL and add the relevant accounts to my_new_group.

Share:
13,082

Related videos on Youtube

djheru
Author by

djheru

Updated on September 18, 2022

Comments

  • djheru
    djheru over 1 year

    I just recently set up a remote git repo on a server for a web app running as an Upstart service. I'd like to use the post-receive hook to trigger actions that are required to update the application code and stop then restart the upstart service. This is my repo.git/hooks/post-receive file:

    #!/bin/bash
export GIT_WORK_TREE=/var/www/current/myapp/
echo "Checking out new files and restarting app"
echo $USER
git checkout -f
sudo /sbin/stop myapp-service
sudo /sbin/start myapp-service

    Based on the info I read here: askUbuntu.com, the way to get the upstart commands to execute as root is to edit my visudo file. Here is the relevant snippet:

    %sudo   ALL=(ALL:ALL) ALL
admin   ALL=(ALL:ALL) NOPASSWD: /sbin/start myapp-service /sbin/stop myapp-service

    But when I git push to the remote, I get output like: 

    $ git commit -am "test" && git push prod master
[master 59ffccd] test
 1 file changed, 1 insertion(+), 1 deletion(-)
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 544 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
remote: Checking out new files on production and restarting app
remote: admin
remote: 
remote: sudo: no tty present and no askpass program specified
remote: Sorry, try again.

    I've checked that the correct user is executing the post-receive script (admin, as echoed above).

    Can someone help me stop and then start the Upstart job in a git post-receive hook script? Python, PHP, or node.js javascript scripts would also be acceptable if they would be able to exec the upstart command more easily than bash (I'm a bash newbie)

    I looked in my auth log and this is what I have:

    Apr 24 19:35:21 myhost01 sudo: pam_unix(sudo:auth): auth could not identify password for [admin]
Apr 24 19:35:21 myhost01 sudo: pam_unix(sudo:auth): conversation failed
Apr 24 19:35:21 myhost01 sudo: pam_unix(sudo:auth): auth could not identify password for [admin]
Apr 24 19:35:21 myhost01 sudo: pam_unix(sudo:auth): conversation failed
Apr 24 19:35:21 myhost01 sudo: pam_unix(sudo:auth): auth could not identify password for [admin]
Apr 24 19:35:21 myhost01 sudo:    admin : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/admin/myapp.git ; USER=root ; COMMAND=/s$
Apr 24 19:35:21 myhost01 sudo: unable to execute /usr/sbin/sendmail: No such file or directory
Apr 24 19:35:21  myhost01 sudo: pam_unix(sudo:auth): conversation failed
    • Elliott Frisch
      Elliott Frisch about 10 years
      The colon looks wrong after NOPASSWD. Also, have you checked the logs? "/var/log/auth.log"
  • djheru
    djheru about 10 years
    Thank you, but I'm trying to set it up so the only commands that can be run without a password are the upstart stop and start calls in the script.
  • Mancika
    Mancika about 10 years
    I'm sure I'll find this useful someday
  • djheru
    djheru about 10 years
    Thanks for the tip. I'll try this later today. If it works, I'll accept your answer, rather than my own above.
  • djheru
    djheru about 10 years
    Thanks that worked. I think I'm still going to go with the separate script route instead of authorizing multiple commands.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Hiding GitHub token in .gitconfig
make git clone with sudo
sudo to run command as different user
How to git pull without asking password?
sudo, runuser, su don't work as I expect when run as root with command as "echo $HOME"
How to auto commit to my git repository using cron?
Whitelisting commands a user can use with sudo
How to run multiple sudo commands over already opened ssh connection
How to login as root from Bash and do stuff
Automatically execute bash script under the privileges of another user