php will not allow me to do `shell_exec('git pull origin master 2>&1');`

When I run the script <?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); ?>, I get the error message:

error: cannot open .git/FETCH_HEAD: Permission denied

Here's what I did:

ssh [email protected]
pwd # shows that I'm already at /var/www as my home directory
ls .ssh/ # shows that I have id_rsa and id_rsa.pub, and id_rsa.pub is given to github
cd html
git pull origin master # everything downloads perfectly
echo "<?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); " > pull.php

Now when I go to http://example.com/pull.php I get the error cannot open .git/FETCH_HEAD: Permission denied .

To confirm my permissions, I logged in as root to do a chown -R apache:apache /var/www. I also have this in my /etc/passwd

apache:x:48:48:Apache:/var/www:/bin/bash

What am I doing wrong?

Solution 1:

SELinux does not allow the web server to write to random directories. You need to explicitly define what directories SELinux should allow to be writable by setting their default context to httpd_sys_rw_content_t and then setting the context of any existing files. For example:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?"
restorecon -rv /var/www

You almost certainly should not make the entire site writable by the web server though, nor set up a web page which directly calls git. Both of these completely negate any security benefits you would have gotten from SELinux, and the latter has its own set of potential problems.