dt102282 2019-01-28 19:58
浏览 327
已采纳

由于shell脚本权限,Gitlab webhooks无法正常工作

Using laravel 5.6. I'm trying to set up a webhook on gitlab, to make a git pull on push events. I've created a post route, added controller and method, that launches a shell script:

use Symfony\Component\Process\Process;

    class WebhookController extends Controller
    {
        public function handle(Request $request) {
            $root_path = base_path();
            $process = Process::fromShellCommandline('cd ' . $root_path . '; ./deploy.sh');
            $process->run(function($type, $buffer) {
                echo $buffer;
            });
        }
    }

Shell script itself contains just a one line:

#!/bin/sh

git pull

But in gitlab's request details, i see an error after a push:

error: cannot open .git/FETCH_HEAD: Permission denied

I already chmod 777 deploy.sh, but i guess it tries to launch that script from different user? If i launch the script from my user, it just works (i'm using ssh key without a password).

UPDATE

I did sudo chown -R $USER:www-data . - now it doesn't show an error with permissions, except the one:

Could not create directory '/var/www/.ssh'.
Host key verification failed.
fatal: Could not read from remote repository.

It's trying to make a git pull using www-data user (i checked with whoami), so it doesn't have a right ssh key, how can i switch to my USERNAME?

  • 写回答

1条回答 默认 最新

  • down00112 2019-01-28 20:19
    关注

    SSH keys are linked to users and your process inside your Laravel app most likely doesn't run as the user you've added your ssh key to. It probably runs as the www-data user.

    Try and create an ssh key for your www-data user and use the key as a "Deploy key" on Gitlab. Try sudo -u www-data ssh-keygen -t rsa to create the ssh key. Also check out this question.

    To answer you last question about switching to your username: that would not be a good idea. That way your application can run anything that your user would be able to run, which is not a good idea. Rather create a separate ssh key for that user and give it limited access to your repository (i.e. only read/pull access).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?