dougan6402
dougan6402
2012-09-11 13:22
浏览 120

php运行git得到“ssh Permission denied”

I'm trying to run git pull in a php script from a browser, but I got "sh: connect to host git.assembla.com port 22: Permission denied"

my php script:

<?php
$output=array();
$returnVar=0;
chdir("/var/www/html");
exec('git pull git@git.assembla.com:andrewadel.git master 2>&1', $output , $returnVar);
// exec('pwd', $output , $returnVar);
echo "<pre>
";
echo "return status: $returnVar

";
print_r($output);
echo "</pre>
";

when I manually run the script as "apache", everything is fine

bash-4.1$ whoami
apache
bash-4.1$ php gitsync.php
<pre>
return status: 0

Array
(
    [0] => From git.assembla.com:andrewadel
    [1] =>  * branch            master     -> FETCH_HEAD
    [2] => Already up-to-date.
)
</pre>

When I run it from a browser, it fails

http://103.7.164.33/gitsync.php?111

return status: 1

Array
(
    [0] => ssh: connect to host git.assembla.com port 22: Permission denied
    [1] => fatal: The remote end hung up unexpectedly
)

Thanks

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

4条回答 默认 最新

  • dongshan2004
    dongshan2004 2012-09-19 06:40
    已采纳

    A lot of variables here... but I faced pretty much exact same behavior with a remote cgi script I was working on.

    In my case the issue was related to SELinux on CentOS.

    user@remoteserver:~$ getsebool -a | grep httpd

    Showed:

    ...
    httpd_can_network_connect --> off
    ...
    

    Test Possible Fix(sudo or run as root):

    user@remoteserver:~$ setsebool httpd_can_network_connect=1
    //...then initiate your serverside script remotely
    

    Permanent Fix(if above has proven effective):

    user@remoteserver:~$ setsebool -P httpd_can_network_connect=1

    -P option ensures subject SELinux boolean value is set to specified value as default on future reboots. See: man getsebool and man setsebool

    点赞 评论
  • dthjnc306679
    dthjnc306679 2012-09-11 13:23

    Is this a permissions issue? A PHP script would be run as the nobody user most likely, which may not have permissions to run the git command.

    点赞 评论
  • dongyu1918
    dongyu1918 2012-09-11 13:31

    Is your webserver and PHP installation enforced by Suhosin, safe-mode, Apparmor or other security mechanisms?

    And I recommend trying PHP-Git bindings like php-git if you're doing more operations. That module is designed for working with Git in PHP code.

    点赞 评论
  • donglie1994
    donglie1994 2012-09-11 13:59

    Apache would run the script as the 'nobody' user. Your script relies on having the private key most likely stored at ~apache/.ssh/id_rsa

    The failure is that git can't access that key and isn't able to authenticate itself against the git server.

    The solution is to specify the correct key to use and make that key accessible to the user that is executing the script.

    Read this for how to specify the key:

    Specify private SSH-key to use when executing shell command with or without Ruby?

    Take a look here for an approach to running as a different user:

    https://serverfault.com/questions/226374/how-to-run-php-files-as-another-user-with-apache-and-fastcgi

    I would not recommend running as nobody (since then the nobody user has access to your private key), or as apache (since then you are increasing the damage that could be done should an exploit be found for your site). Therefore you should create a different user with the minimal permissions to read your private key and execute the git command. It may not be necessary to specify the key if you just create a limited user account for this and put the keys (public/private) into ~/.ssh

    点赞 评论

相关推荐