Lets face it… we all need Source Control in our projects, even for small scale projects with just one developer. There are too many times when we need to revert to a past revision of our code. In a typical computer application or game, source control makes sense; but what about web development? When you factor in an FTP server and MySQL database, how do you accomplish your version control? How do you keep everything in sync when you are deploying to an external server? Most web projects are tracked via SVN, but SVN is very limiting compared to other options such as Git. Git provides powerful team collaboration tracking and revision control, but how can it be implemented to work with a web server? The answer is surprisingly easy.
I had been searching for an answer to this question, when I stumbled upon an article by Joe Maller (http://joemaller.com/990/a-web-focused-git-workflow/). He offered a great explanation of how I could use Git to control not only my project, but eliminate FTP altogether. I have my own server that i use for hosting a website, and having full control over that server opens up the possibilities for a very handy work flow. Using Eclipse as my Primary IDE, I can develop websites, commit the code, and push it to my web sever. I don’t need to leave Eclipse or use FTP. Whats even better? I don’t have to worry about losing my code if my web server goes down, because I’m not push my code to my web server. If my web server were to suddenly kick the bucket, my code would be safe and sound on GitHub.
One problem I had though with this method was getting my server to pull the latest code from GitHub. After doing some investigative detective work, I found that the account my apache and php were running on didn’t have enough permissions to execute a git pull. To be honest, that is probably a good thing for security reasons, but not exactly want I wanted at this point. I needed to execute git pull somehow, but outside the limited permission scope of my Apache web service. Instead of a php script calling the git pull, I need something else to execute the script with all permissions needed. Since I knew exactly what needed to be executed, and what would happen, I eventually settled on writing a simple program to do the git pull.
Great! Now just compile that and execute:’
sudo chown root /path/to/program
sudo chmod u+s /path/to/program
And for the PHP file:
Great! In retrospect, it would be better to setup the permissions so that it is based on a group, and not the user. Now I just opened a security hole right? Probably, after all, if someone was to gain access to the machine, they could change the post-update-hook.sh file into something else and then execute it. But you know.. I don’t really need to worry about that. This server is only used to host one site. If user was to gain access to the one account I setup, which is where the site is located, then there really is no need for them to use root, they would have access to the entire site anyways. The site doesn’t really host any mission critical data. Not to mention, the only way the script could be executed without authenticating, would be to execute the PHP script that calls this program. If I wanted to make it more secure, I could have it check the hash of the script, and verify it is correct before it runs it. Of course, if a user had access to my GitHub account, they could inject code into the site by committing the code there, and then waiting for this hook to run. However I’ll assume that if that were to happen, then I would have more problems than just security on the server, wouldn’t you agree?