Handling File ownership issues in a PHP apache application

Env: Linux

PHP apps runs as “www-data”

PHP files in /var/www/html/app owned by “ubuntu“. Source files are pulled from git repository. /var/www/html/app is the local git repository (origin: bitbucket)

Issue: Our Developers and Devops would like to pull the latest sources (frequently), and would like to initiate this over the web (rather than putty -> and running the git pull command).

However, since the PHP files run as “www-data” it cannot run a git pull (as the files are owned by “ubuntu”).

I am not comfortable with both alternatives:

  • Running Apache server as “ubuntu”, due to obvious security issue.
  • The git repository files to be “www-data”, as it makes it very inconvenient for developers logging into the server and editing the files directly.

What is the best practice for handling this situation? I am sure this must be a common issue for many setups.

Right now, we have a mechanism where the Devops triggers the git pull request from the web (where a PHP job – running as “www-data” creates a temp file). And a Cron job, running as “ubuntu”, reads the temp file trigger and then issues the “git pull” command. There is a time lag, between the trigger and the actual git pull, which is a minor irritant now. I am in the process of setting up docker containers, and have the requirement to update the repo, running on multiple containers within the same host. I wanted to use this opportunity to solve this problem, in a better way, and looking for advise regarding this.

  • “Unable to find remote helper for 'https'” during git clone
  • How to change UI colors for gitk?
  • error: RPC failed; result=6, HTTP code = 0
  • Pip install doesn't checkout correct branch
  • Egit ssh changes push & pull
  • Error of setup public key for gitolite on ubuntu 12.04 server
  • Gitlab ce ssh pupkey
  • Trouble with Git, Windows, Ubuntu and Vagrant
  • One Solution collect form web for “Handling File ownership issues in a PHP apache application”

    We use Rocketeer and groups to deploy. Rocketeer deploys with the user set to the deployment user (ubuntu in your case) and read/write permission for it, and the www-data group with read/execute permission. Then, as a last step, it modifies the permissions on the web-writable folders so that php can write to them.

    Rocketeer executes over ssh, so can be triggered from anywhere, as long as it can connect to the server (public keys help). You might be able to setup your continuous integration/automated deployment to trigger a deploy automatically when a branch is updated/tests pass.

    In any case, something where the files are owned by one user that can modify them and the web group can read the files should solve the main issue.

    If you are planning on using docker, the simplest way would be to generate a new docker image for each build that you can distribute to your hosts. The docker build process would simply pull the latest changes on creation and never update itself. If a new version needs to be deployed, a new immutable image with the latest code is created and distributed.

    Git Baby is a git and github fan, let's start git clone.