I'm on Ubuntu server 14.04.
I am using apache web server which runs as the www-data. I need to do git clone from a script (a web hook). This script will run with www-data user privilages.
Running git clone as a regular user in the /var/www/html directory I run in to permission problems which is good since I only want the www-data user to be able to write there.
The www-data user has its home set to /var/www and it's ssh keys are in /var/www/.ssh .
If I run:
sudo git clone git@my.git.server:user/repo.git
It works as expected – the ssh public key for my user is listed as in authorized_keys @ my.git.server.
However I need to run from a bash script and with normal privileges.
So I copied the public ssh key for the www-data user to the authorized_keys file at my.git.server. In theory that should mean the www-data user can initiate git clone over ssh removing the need for passwords and being pretty secure.
So to test it I think I need to run something like:
sudo -u www-data -H git clone git@my.git.server:user/repo.git
My understanding is that would let me assume the identity of the www-data user, set my home directory so that ~/.ssh is in the working directory when the git clone over ssh is issued.
The issue I have is the following error output when I try to execute that command:
Cloning into 'repo'...
fatal: 'user/repo.git' does not appear to be a git repository
fatal: Could not read from remote repository.
Like I said if I run as sudo – no issue. Only when I try to run as www-data. It feels like there's an issue with the way the command is being interpreted that forces it to read the path / repo name incorrectly ?
Following on from l0b0's response, the output is as follows:
james-c@WebHost-1:~$ sudo ssh -v git@my.git.server 2>&1 | grep 'identity file'
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
james-c@WebHost-1:~$ sudo -u www-data ssh -v git@my.git.server 2>&1 | grep 'identity file'
debug1: identity file /var/www/.ssh/id_rsa type 1
debug1: identity file /var/www/.ssh/id_rsa-cert type -1
debug1: identity file /var/www/.ssh/id_dsa type -1
debug1: identity file /var/www/.ssh/id_dsa-cert type -1
debug1: identity file /var/www/.ssh/id_ecdsa type -1
debug1: identity file /var/www/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/www/.ssh/id_ed25519 type -1
debug1: identity file /var/www/.ssh/id_ed25519-cert type -1
Not exactly sure what I'm looking for here ?
Best Answer
I encountered the same issue, it seems like the environment is preserved when switching users this way. This causes the wrong git config to be loaded, which fails due to permission problems.
In my case I circumvented the problem by using the following command