When I run the script
<?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); ?>, I get the error message:
error: cannot open .git/FETCH_HEAD: Permission denied
Here’s what I did:
ssh [email protected] pwd # shows that I'm already at /var/www as my home directory ls .ssh/ # shows that I have id_rsa and id_rsa.pub, and id_rsa.pub is given to github cd html git pull origin master # everything downloads perfectly echo "<?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); " > pull.php
Now when I go to
http://example.com/pull.php I get the error
cannot open .git/FETCH_HEAD: Permission denied .
To confirm my permissions, I logged in as root to do a
chown -R apache:apache /var/www. I also have this in my
What am I doing wrong?
SELinux does not allow the web server to write to random directories. You need to explicitly define what directories SELinux should allow to be writable by setting their default context to
httpd_sys_rw_content_t and then setting the context of any existing files. For example:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?" restorecon -rv /var/www
You almost certainly should not make the entire site writable by the web server though, nor set up a web page which directly calls
git. Both of these completely negate any security benefits you would have gotten from SELinux, and the latter has its own set of potential problems.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.