How to enable group-writable suexec-capable CGI scripts?

Solution 1:

To ensure accountability in this context and yet provide the correct ownership and permissions for the published content, I use a slightly modified version of the workflow described in this article.

This is how I have implemented, note that most of the pieces are replaceable:

• All the published content is managed by a version control system (git in this case)
• Users have nominal accounts registered in a Kerberized LDAP along with their RSA public keys
• In the past, I used such public keys to grant access to the different repos using gitosis/gitolite, but you can also use plain git with git-shell.
• A while back, I moved to gitblit, which provides LDAP authorization. The access to gitblit's web UI requires a valid kerberos ticket.
• The repos have their post-update hook symlinked to a script containing:

#!/bin/sh

sudo /usr/local/sbin/publisher-hub2live

exit 0

The script is not directly accessible to unauthorized users:

# ls -lrt /usr/local/sbin/publisher-hub2live
-rwx------. 1 root root 400 Oct 12  2012 /usr/local/sbin/publisher-hub2live

Hence the sudorule:

Defaults:git   !requiretty
git   Host_Alias = (root) NOPASSWD: /usr/local/sbin/publisher-hub2live

Replace git with the actual owner of the repositories.

The contents of the publisher script work the "magic" here (simplified version):

#!/bin/sh

echo
echo "**** Pulling changes into Live [Hub's post-update hook]"
echo

cd /path/to/live/repo || exit
umask 0022
unset GIT_DIR
git pull hub master

chown -R root:root /path/to/live/repo
find /path/to/live/repo/ -type d | xargs chmod u=rwx,go+rx
find /path/to/live/repo/ -type f | xargs chmod u=rw,go+r
restorecon -v -R /path/to/live/repo

exec git update-server-info

exit 0

Your needs might differ with regards to the owner, group, DAC and MAC permissions, but the workflow is the same.