Question

How to use Github hooks when you disabled the root user

Posted April 13, 2021 224 views
Ubuntu 20.04

For security reasons, I disabled the root user and created a new user to use SSH.

When I use rsync, I rsync to the /home/my-name/my-dir directory and then mv to the /var/www/html/my-dir director, then used sudo chown -R www-data:www-data my-dir.

I’d like to create a Github hook that when I push to the repo, pulls the repo to my droplet.

Q1. Should I pull to /home/my-name/my-dir and them moved to the /var/www/html/my-dir and use chown command to change the owner?

Q2. Is there any tutorial how to set this up?

Thank you.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi there,

What I could suggest is allowing your non-root user to run this one specific command with sudo without being prompted for a password.

You can configure that you can change the sudoers file on your server. The correct way to make changes to the sudoers file is by using the following command:

sudo visudo

At the bottom of the file add the following:

your_user_here ALL = NOPASSWD: /bin/chown -R www-data\:www-data /path/to/your-dir

Then save and exit. After that when you run sudo /bin/chown -R www-data\:www-data /path/to/your-dir with your non-user you will not be prompted for your sudo password.

Hope that this helps.
Regards,
Bobby

  • Thanks Bobby.

    I’m following this tutorial.

    I have a script in /home/shin/my_dir.

    #!/bin/bash
    
    # Location of our bare repository.
    GIT_DIR="/home/shin/my_dir"
    
    # Where we want to copy our code.
    TARGET="/var/www/html/my_dir"
    
    
    while read oldrev newrev ref
    do
       # Neat trick to get the branch name of the reference just pushed:
       BRANCH=$(git rev-parse --symbolic --abbrev-ref $ref)
    
       # Send a nice message to the machine pushing to this remote repository.
       echo "Push received! Deploying branch: ${BRANCH}..."
    
       # "Deploy" the branch we just pushed to a specific directory.
       sudo git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f $BRANCH
    done
    
    

    And then I appended the following to visudo:

    shin ALL=(ALL) NOPASSWD:ALL
    
    

    And it works.

    It pushes all codes to /var/www/html/my_dir.

    Do you think it is safe to do it this way?

    Let me know what you think.

    • Hi there,

      No problem at all, happy to hear that you’ve got a working solution!

      Yes, this should indeed also be working as expected.

      A slight concern would be that the user would be able to run any sudo commands without typing a password thanks to the shin ALL=(ALL) NOPASSWD:ALL line in your sudoers file.

      If you want to be extra safe, you could change that line and only allow the specific commands from the script, that way you would know that the user has some restrictions.

      Regards,
      Bobby

      • Thank you for your support, Bobby.

        Could you tell me how to allow the specific commands?
        In this case, it is the git command.

        Is it something like this?

        shin ALL=(ALL:ALL) git
        

        How can I add more than one command?

        Something like this?

        shin ALL=(ALL:ALL) git chown mv cp
        

        Let me know. Thanks.

        • Hi there,

          You would need to separate the commands with a comma and also I would recommend specifying the full path to the binaries, for example:

          shin ALL=(ALL) NOPASSWD: /usr/bin/git,/bin/chown,/bin/mv,/bin/cp
          

          Let me know how it goes!
          Regards,
          Bobby

          • Thanks. I will try and let you know.

          • After changing according to your code, I get the following errors.

            ...
            remote: Push received! Deploying branch: main...
            remote: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
            

            I have the following in /etc/sudoers file usingsudo visudo:

            shin ALL=(ALL) NOPASSWD: /usr/bin/git, /usr/bin/chown, /usr/bin/mv
            

            Which command/path do I need to add?

          • Hi there @okadashinichi2819,

            The path to the chown command is not correct. You need to use the exact path to the binary:

            /bin/chown
            

            You can find the correct path to a binary with the which command:

            which chown
            

            Regards,
            Bobby

          • When I used which chown, the output was /usr/bin/chown.

            So I had to put back to:

            shin ALL=(ALL) NOPASSWD:ALL
            

            And also I had to add NOPASSWD to the sudo group:

            %sudo ALL=(ALL:ALL) NOPASSWD: ALL
            

            Then it works. But I’m not 100% sure this is the correct way to do…

          • Hi there,

            This is quite interesting. Are there any other commands that are being executed that might be missing from the list?

            What I could suggest is also switching to the user and trying to use one of those commands with sudo to verify that you are not being asked for a password.

            Regards,
            Bobby

          • @bobbyiliev
            Yes, it was strange. I tried this morning and it is working as expected.

            %sudo ALL=(ALL:ALL) ALL
            
            shin ALL=(ALL) NOPASSWD: /usr/bin/git, /usr/bin/chown, /usr/bin/mv
            

            Thank you for your help.

          • Hi there,

            No problem at all! Happy to hear that you’ve got it all working!

            Regards,
            Bobby

      • BTW, I got the following error:

        $ git push
        Enumerating objects: 10, done.
        Counting objects: 100% (10/10), done.
        Delta compression using up to 4 threads
        Compressing objects: 100% (6/6), done.
        Writing objects: 100% (6/6), 663 bytes | 663.00 KiB/s, done.
        Total 6 (delta 5), reused 0 (delta 0), pack-reused 0
        remote: error: cannot update the ref 'HEAD': unable to append to './logs/HEAD': Permission denied
        To okadia.net:/home/shin/my_dir
         ! [remote rejected] main -> main (failed to update ref)
        error: failed to push some refs to 'okadia.net:/home/shin/my_dir'
        

        What am I doing wrong here?