Skip to content
Advertisement

Gitlab webhooks not working due to shell script permission

Using laravel 5.6. I’m trying to set up a webhook on gitlab, to make a git pull on push events. I’ve created a post route, added controller and method, that launches a shell script:

use SymfonyComponentProcessProcess;

    class WebhookController extends Controller
    {
        public function handle(Request $request) {
            $root_path = base_path();
            $process = Process::fromShellCommandline('cd ' . $root_path . '; ./deploy.sh');
            $process->run(function($type, $buffer) {
                echo $buffer;
            });
        }
    }

Shell script itself contains just a one line:

#!/bin/sh

git pull

But in gitlab’s request details, i see an error after a push:

error: cannot open .git/FETCH_HEAD: Permission denied

I already chmod 777 deploy.sh, but i guess it tries to launch that script from different user? If i launch the script from my user, it just works (i’m using ssh key without a password).

UPDATE

I did sudo chown -R $USER:www-data . – now it doesn’t show an error with permissions, except the one:

Could not create directory '/var/www/.ssh'.
Host key verification failed.
fatal: Could not read from remote repository.

It’s trying to make a git pull using www-data user (i checked with whoami), so it doesn’t have a right ssh key, how can i switch to my USERNAME?

Advertisement

Answer

SSH keys are linked to users and your process inside your Laravel app most likely doesn’t run as the user you’ve added your ssh key to. It probably runs as the www-data user.

Try and create an ssh key for your www-data user and use the key as a “Deploy key” on Gitlab. Try sudo -u www-data ssh-keygen -t rsa to create the ssh key. Also check out this question.

To answer you last question about switching to your username: that would not be a good idea. That way your application can run anything that your user would be able to run, which is not a good idea. Rather create a separate ssh key for that user and give it limited access to your repository (i.e. only read/pull access).

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement