Jeremy Belolo Jeremy Belolo - 1 year ago 41
Git Question

Git clone from one server to another without superuser access

I want to setup a git environment for my coworkers and me between the dev server and the prod server (and later between local machines and the dev server as well). Installed git on prod, init, everything is fine.

Now I want to

git clone
the prod into the dev, to then be able to push validated features to prod. I tried to do so with

git clone ssh://sshUser@

The issue is, that user is not a superuser and has no access to that path. So of course it fails. I can't connect in root because
PermitRootLogin no
. So I thought of 2 possibilities :

  • Change
    PermitRootLogin no
    PermitRootLogin without-password
    and use a ssh key to connect as root. I guess it would work.

  • Create another superuser to keep root deactivated and do the exact same thing with that new user (a little more secure maybe).

But I'm not sure whether it's the right way to go or if I have another option I didn't think of / found info about.

Thanks ahead !

Answer Source

Having application files on your production system that require root access is not a good idea in the first place, and further opening up your root account in the way you describe is an absolute no-no. A good (i.e., secure) approach is this:

  • Make a group myapp and a user myappadm.
  • Everything related to your application (i.e. /path/to/git/repos/) should be chown'ed to myappadm:myapp.
  • Everything should be writable by myappadm but only readable by myapp.
  • Things like your webserver can go into group myapp.

(Of course, if you already have a group like myapp and only have root instead of myappadm then you can keep that group and just chown everything to myappadm instead of root.)

That done, you will clone from ssh://myappadm@... and all will be fine. People who have access to myappadm will no longer be able to take over the whole machine, and so on.