I have a problem executing a git clone on a Minimac 10.8.5.
If I execute the command from a shell, it works.
If I execute the same command from a php file (through a button press on a web page), I get
"error: ssl peer certificate or ssh remote key was not ok while accessing...".
Already executed: git config --global http.sslVerify = false
Already changed the User and Group of the file /etc/apache2/httpd.conf
Tried to execute it with a git clone --verbose
The only error I see is the above one, no more informations.
Where or how can I find a more detailed log ?
What could be the cause ?
This look that the remote requires an authentication either through a ssh key like heroku an github or with an password via https.
In both cases you will need this, you can configure your system first and then try to run the git via php.
I believe that you are doing some type of deploy script right? If so you may want consider use git pull on the after the first deploy.
Try this
env GIT_SSL_NO_VERIFY=true git pull origin master
Edit: solved in another way.
The only way I've found to create a shell with the correct user, is starting the process via ssh. So I do the following and all works as expected.
<?php
$cmd = "ssh user#localhost <cmd to execute>";
shell_exec($cmd);
?>
Related
I have set up a github webhook to talk to my webserver api (server is apache2). I securely check for the github secret using the encryption of the payload, as specified on their help page.
When a push to master is done on the repo of the web application, a script (deploy.sh) is triggered via <?php exec. If I trigger this script manually, as root, everything is perfect. But of course, the user that triggers the script on normal circumstances is www-data.
My question is what is the best practice for www-data to do a git pull of the new repo? I have mostly discarded doing exec sudo, but maybe that is the way. One problem of the many that i'm facing with making www-data trigger a git pull is that the ~/.ssh/id_rsa file is only set up for root (when building the server image on docker). Its a read-only ssh-key.
This is a legacy application so what really worries me is that through some php exploit someone could do the exec without being github. And from there escalate to get read access to the repo or something worse.
The question is really, what is the best practice to update a web application using a webhook
Solution was allowing www-data to sudo only the deploy command:
echo 'www-data ALL=(ALL) NOPASSWD: /var/my-cool-scripts/deploy.sh' | sudo EDITOR='tee -a' visudo
on php:
exec('sudo -n /var/my-cool-scripts/deploy.sh')
PS: actually used this neat trick to know the execution was okay
$did_the_script_run_okay = exec('sudo -n /var/my-cool-scripts/deploy.sh') == "okay" || false;
last line of deploy.sh:
echo "okay"
the exec command returns the last line echoed by the command, so i check that to ensure complete execution
i searched on the internet for hours to find a good solution but all the topics that allready exits dont help for me
i try to build a webhook to update my website by doing a git pull that is called afther a git hook when commits pushed to my live branche. But it isn't working when i try to call git pull by requesting my php script in the browser.
apache is running as www-data, all the rights a set up well.
the php script is running good when i try to run it as www data user with su - www-data and than php webHook.php
but when i call it in the browser, i get no response. I guess apache is blocking
this is the command i use in the php script:
echo shell_exec('cd /home/my-site/public_html && git pull');
the result is empty and the git repository is not pulled at all.
but if i try this:
echo shell_exec('cd /home/my-site/public_html && git');
i got this result
usage: git [--version] [--exec-path[=]] [--html-path] [--man-path] [--info-path] [-p|--p..........
so everything is working, except the git pull command.
the respository is saved on another server with atlassian stash. and i saved the password with git config --global credential.helper "cache --timeout=360000000"
I want to push a folder with data to an empty repository in atlassian Git stash. The repository is created via the rest api. The remote origin is set. When I enter
$ git push origin master
in the shell it works all fine. When I use the PHP interactive shell and enter
exec('git push origin master');
it also works. But when the code is called in my PHP file nothing happens. Of course the code is the same. I am in the right working directory (I change it with chdir() before the shell_exec). No errors are reported (even when error_reporting is set to E_ALL) and when i set the output argument in the exec() I get an empty array.
Can anyone help?
When you execute code interactively, or commands via the shell, you're executing under your user account and your shell environment.
I would assume that the reason this isn't working is that you're executing the PHP script as another user (and possibly lacking your ssh/git environment config).
More information is needed to better answer your question, but you may want to start by verifying the user you're executing your PHP file as is also able to perform a git push origin master by doing something like:
sudo su -s /bin/bash -c "cd /my/git/repo/dir; git push origin master" MYPHPEXECUTEUSER
I found out that i have to add '2>&1' to the end of a shell command to get an error output when using shell_exec(). It returned "fatal: could not read Password for"url": device not configured". i just had to add the password to the url in a http basic auth fashion. Now it all works fine. Thanks for the answers :)
I'm trying to make a hook on bitbucket, that executes a php file, and this file executes the pull command:
shell_exec('/usr/local/cpanel/3rdparty/bin/git pull');
The pull command works fine on the SSH console, but the PHP returns the error:
Permission denied (publickey). fatal: Could not read from remote
repository.
Please make sure you have the correct access rights and the repository
exists.
The command --version shows the path to git is right, whoiami returns the same user on both, so I don't know if it is a permission issue.
What can be going wrong?
Edit: An additional issue: the alias I added for git don't work on PHP, only the full path as above. Via terminal it works just fine. Maybe it's the same reason why the key don't work in php.
Edit 2: $PATH is different on both.
When you run this command within a PHP script you are not running the command as yourself:
shell_exec('/usr/local/cpanel/3rdparty/bin/git pull');
The reason it works from the terminal console is you run the command as yourself from the console. But on a web server, you are not the user running the command. Remember: When you run PHP on a web server, it is a an Apache module. Meaning the web server user—which could be www-data, root or even apache on some systems—is running the PHP script which then runs the shell_exec command.
So it would never work as you have it setup. Perhaps you can kludge something together that would allow a key-pair to be used by the web server for these purposes, but that seems like a security risk waiting to happen.
I want to do SVN update easier - with calling PHP script.
I created PHP script:
$cmd = "svn update https://___/svn/website /var/www/html/website/ 2>&1";
exec($cmd, $out);
As the user running the script is apache (not root), I get some permission errors.
If I change the owner of every directory to apache (or chrown everything to 777) I have another problem. Because I use https protocol user apache should permanently accept certificate of the svn server. I tried to do "su - apache" and accept certificate but OS says that "apache" is not valid user. I also dont know how could I accept certificate with exec() function.
Any idea? How can I make svn update-ing easier?
Is the error telling you that the user isn't a valid svn user? If apache is the user running httpd, you should be able to su to it. This is the script I use:
/usr/bin/svn --config-dir=/home/user/.subversion --username=svnuser --password=svnpass update
once the password is saved you can remove it from the command. Again, make sure the user/pass above is a valid SVN user.
Lately I've actually migrated to using Hudson for svn updates as you can schedule it as well as run manually and do a bunch of other tasks, plus you can view the svn logs for each commit as well as any console errors.
Why not use php svn functions instead of (insecure) exec?
http://www.php.net/manual/en/function.svn-auth-set-parameter.php has good examples for authentification options.
Use getent apache on the shell. This will return the shell of apache. Most likely, it is /bin/nologin or /bin/false. Change this to /bin/bash. You'll also need to specify the home directory and create it on the file system.
UPDATE: getent apache will actually return the entry in the /etc/passwd file for the apache user. The last token in this string is the shell.