Diffusion sudo configuration on Debian

When setting up Diffusion for Git hosting it is required to set up vcs-user with NOPASSWD option in sudoers somewhat like:

gituser            ALL=(phabricatoruser) SETENV: NOPASSWD: /bin/ls, /usr/bin/git-upload-pack, /usr/bin/git-recieve-pack, /usr/bin/git

On Debian 9 (Stretch) git is using symlinks for and git-receive-pack:

/usr/bin/git-receive-pack -> git

Which is causing issues with sudo. This way, sudo doesn’t execute command as phabricatoruser user and asks for the password. No matter what combination of commands is specified same issue happens. Trying to use hardlinks instead of symlinks doesn’t yield any results.

Has anyone else experienced such issues with Diffusion setup? How did you resolved it (except defining gituser ALL=(phabricatoruser) SETENV: NOPASSWD: ALL)?

1 Like

Most of the git executables are normally hardlinks, and your sudoers file looks like it should work regardless.
Are you sure the executables that are in use are the same ones you’ve marked in the sudoers? Check the PATH for both gituser and phabricatoruser, as well as the environment.append-paths config value and <phabricator>/support/bin directory.

avivey, thank you for the reply. My environment.append-paths uses:

"/usr/lib/git-core",
"/bin",
"/usr/bin",
"/usr/local/bin",
"/usr/lib/"

which should match thedirectory where binaries reside. No other git installation is present on the system. Interesting thing is that even sudo reporting reports correct CMD:

sudo: gituser : command not allowed ; TTY=pts/4 ; PWD=/home/gituser ; USER=phabricatoruser ; COMMAND=/usr/bin/git-receive-pack

Hi,
I have faced the same issue and thanks to your exchange, I have solved the issue on my host.
Prior to reading your message I was using the /usr/lib/git-core/git-upload-pack and /usr/lib/git-core/git-recieve-pack.
Switching to @tomica 's values fixed it for me.
Please note that you actually need to restart the sshd process to have your sudoers file change taken into account !
This almost got me to abandon all hope :grin:
Notes:

  • I didn’t need the /bin/ls…
  • I am using the pabricator-deamon
  • I have added the /usr/bin/ssh to the list of authorized commands.
    Good luck !