Running a process as apache, change to root ?
 

Hello,

I have an SVN server that should with the post-commit script loginto our dev server via ssh and update the folders contianing the websites.

However, because the post-commit scripts runs as 'apache', it has no rights to run the ssh command.

Can someone help me with this. It would be greatly appreciated. Thanks in advance.

You said "websites" plural, and that scares me.
If you have client websites running cgi scripts as the user apache then what I am about to suggest is probably a Bad idea.

But if you use suexe and each website runs their cgi scripts as their own user then this will work safely.

visudo and add the line;
Then in your post-commit script change the "ssh" command to "sudo ssh" and this should do the trick.

It would probably be better to find out why the user apache can't run ssh, if the user needs to be in a certain group, then discover that and place apache in that group.

Again, I would be careful giving rights to the user apache if there are other users running cgi as the user apache.

Well that worked. Thank you very much !!! I can at least get the team back working. I know it is bad practice, I will troubleshoot how come apache couldn't login. Maybe I should create a user that will do this. Thank again. Note: it worked without the sudo.

I hope you sanitize your inputs (web form etc) ! :p

It would not have worked on my systems without the sudo, yours may behave differently or your problem may have magically gone away?

Why the need to run ssh as root anyway, is there any theory behind this ?

He may be copying files with various owners and various permissions to the other box, so my answer to you is yes.

If your are going to help, then help, otherwise...

I would like to help, but before I have to fully understand the issue

ssh is a program for login into a remote machine, it is like ftp but with encrypted connection...

It requires no root privileges to use it

If I have password for an user in a remote ssh server, I can login without being that user
And any file I copy with ssh will belong to the remote user...

Anyway, in the end rbalaa succeed using ssh without using sudo (= without having root privileges), so the issue is elsewhere

Please be aware that asking questions is often the best way to start troubleshooting things or having something clarified. Asking prudent questions should never be met with such a reply. And I fully agree one should question having a non-human account run anything as root, especially if "it worked before without Sudo" which could point to misconfiguration on the OPs part.

My first commercial Linux system was RedHat Mothers Day, If you don't want me here that's fine.

Still not working. Don't ask me why, but it worked for sometime, and now its back. Anyhow you are right I should have explained the setup better. Yes, I wanted to SSH so that I can update our live server. Now after many frustrated hours, I decided to have both SVN and our live server on the same box.
I found a debug script online and this is what I get when post-commit runs:


/svndata/live 95
uid=48(apache) gid=48(apache) groups=0(root),48(apache)
PWD=/
SHLVL=1
_=/bin/env


As opposed to when I run it manually, I get:


uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
HOSTNAME=msrv01
SHELL=/bin/bash
TERM=xterm-256color
HISTSIZE=1000
SSH_CLIENT=<ipadress>
SSH_TTY=/dev/pts/1
USER=root
LS_COLORS=
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/scripts
MAIL=/var/spool/mail/root
PWD=/svndata/live/hooks
INPUTRC=/etc/inputrc
LANG=en_US.UTF-8
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
HOME=/root
SHLVL=2
LOGNAME=root
SSH_CONNECTION=<ipaddress>
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
_=/bin/env

the debug code is:

date >> /tmp/debug.txt
echo "$@" >> /tmp/debug.txt
id >> /tmp/debug.txt
env >> /tmp/debug.txt

Please help. Thank you.

well mark it as solved. the reason my connection kept breaking is because I never once listed my SVN repo from the local server (where svn is located). Soon as I did that, it asked me to accept (p). So I did and now it works. I also forgot to mention that the SVN server is running with HTTPS.

Thanks All.