How to give permission to a directory for automatic deployment from git?

H

HaruAtari2014-02-09 13:23:43

git

HaruAtari, 2014-02-09 13:23:43

Good afternoon.
I'm trying to set up automatic deployment of a project from a git repository. A hook is hung on the repository, which, when pushing, makes a request to my server. When a request is received, it makes a pull and runs the migration script. There was a question with the rights to directories.
The owner of the project directory is ww-data. Logically, another user should be working with the git. I created a user and added it to the ww-data group. Installed on the directory with the project rights 770. Everything works. But what's the point of having a separate user for deployment if he has the same rights as www-data?
Tell me, am I doing the right thing, or do I need to distribute the rights differently?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

Y

Yuri Shikanov, 2014-02-09
@dizballanze

Why create a separate user to work with the git? Directly from www-data it is possible.

A

Andrew, 2014-02-09
@kaasius

1. Files in the working directory of the site should not belong to www-data, except for those that the server itself writes. Otherwise, you will get additional vulnerability.
2. It is better not to keep .git in doc-root - at some point you will forget to close access to this daddy, and ... all your code will end up with hackers.
Therefore, on the server with the central repository (where you are pushing), you make another repository, from where you do the pull using the hook. And you send everything to the combat server using rsync or, for example, dklab realsync (which uses the same rsync, but automatically monitors changes in the folder and immediately syncs them to the second server).
Well, it’s better to put the owner of something different from www-data