Home / server / Questions / 332021
Accepted
anthonysomerset
Asked: 2011-11-18 08:29:19 +0800 CST

Git: push via ssh to a root owned repository with ssh root logins disabled

  • 772

is that even possible?

Summary, i'm running puppet master on a server and ideally we want root logins via ssh disabled, we want to force all access via sudo if root access required

however we have puppet installed using a git repo to manage the manifests, this repo is currently owned by root and currently i only know of 2 solutions

  1. (less ideal) allow root access via key auth only - if so, what can i lock it down to to only allow the git push commands?
  2. own the repo in /etc/puppet as a different owner - will puppet work reliably with this?
  3. Could relevant Sudo config and command work around this?
ssh puppet root git puppetmaster

3 Answers

  1. Git repos can be configured to maintain group write permissions (option --shared when creating the repository). Using that, then you can add any accounts that need access to the repository to a particular group, so that they can access it.

    I do that for our git server. I also put a symlink in each user's home directory to each repository they have access too, so everyone can access with a relative URL.

    • 2
  2. Best Answer

    To answer my own question, i looked at the info Daniel Provided but it didnt tally up, i researched git group write and came accross http://andyregan.net/blog/archives/504

    by giving my repository group ownership by a common group (puppet) and adding the relevant users to that group, and then running:

    chmod -R g+swX /etc/puppet/
cd /etc/puppet
git repo-config core.sharedRepository true

    worked perfectly for me, i can push to a root owned repository, puppet still works and i dont use a root ssh login to do so

    Win, Win

    UPDATE

    I had this problem again also with puppet but looked to handle it in a better manner and solved this alternatively with the right bit of sudoers config by adding the following after the env_reset line:

    Defaults    env_keep += SSH_AUTH_SOCK

    this allows me to run a command like this:

    cd /etc/puppet && sudo git pull && sudo git submodule sync && sudo git submodule update --init --recursive

    in say a Rakefile (my user already has nopasswd permissions via Sudo) and everything works accordingly. What i achieved was basically to pass my ssh-agent forwarded ssh-key through to the root user and then do a git pull as if i was connected as my non-root user without storing my ssh key under the root user (or my non-privileged account on the server) Win Win

    • 2

  3. What I like to do is have a "staging" bare git repo on the puppet master that I push to that runs various pre-commit and post-commit hooks. Pre-commit hooks check puppet syntax (so that code with bad syntax can't be committed) and post-commit hooks actually drop the code into /etc/puppet, and restart Apache (to fix an old cacheing bug in puppet 2.6)

    Having a staging area that you push to makes the process of deploying puppet code more atomic. Otherwise, it may be possible for you puppetmaster to be serving half-commited code to clients.

    • 1