scp: /tmp/git-ssh.sh: Permission denied

[jfrux]

I think I'm too fried to see what's happening here... Setup a new app to deploy with capv3 and I have no clue why this is happening. I have ssh auth passwordless setup correctly with the remote server... I can ssh and run any commands via ssh...

cap production git:check
DEBUG Uploading /tmp/git-ssh.sh 0.0%
cap aborted!
scp: /tmp/git-ssh.sh: Permission denied

Tasks: TOP => git:check => git:wrapper
(See full trace by running task with --trace)

full trace:

cap production git:check
DEBUG Uploading /tmp/git-ssh.sh 0.0%
cap aborted!
scp: /tmp/git-ssh.sh: Permission denied

Tasks: TOP => git:check => git:wrapper
(See full trace by running task with --trace)
mccme-rountrjf:ccpd-realtime joshua$
mccme-rountrjf:ccpd-realtime joshua$ cap production git:check --trace
** Invoke production (first_time)
** Execute production
** Invoke load:defaults (first_time)
** Execute load:defaults
** Invoke git:check (first_time)
** Invoke git:wrapper (first_time)
** Execute git:wrapper
DEBUG Uploading /tmp/git-ssh.sh 0.0%
cap aborted!
scp: /tmp/git-ssh.sh: Permission denied
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-scp-1.1.2/lib/net/scp.rb:392:in `await_response_state'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-scp-1.1.2/lib/net/scp.rb:363:in `block (3 levels) in start_command'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/channel.rb:311:in `call'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/channel.rb:311:in `process'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:222:in `block in preprocess'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:222:in `each'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:222:in `preprocess'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:205:in `process'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:169:in `block in loop'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:169:in `loop'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/session.rb:169:in `loop'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-ssh-2.7.0/lib/net/ssh/connection/channel.rb:269:in `wait'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/net-scp-1.1.2/lib/net/scp.rb:279:in `upload!'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/sshkit-1.0.0/lib/sshkit/backends/netssh.rb:68:in `upload!'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/capistrano-3.0.0/lib/capistrano/tasks/git.rake:11:in `block (3 levels) in <top (required)>'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/sshkit-1.0.0/lib/sshkit/backends/netssh.rb:42:in `instance_exec'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/sshkit-1.0.0/lib/sshkit/backends/netssh.rb:42:in `run'
/opt/boxen/rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/sshkit-1.0.0/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
Tasks: TOP => git:check => git:wrapper

[seenmyfate]

The key line here is scp: /tmp/git-ssh.sh: Permission denied - it looks like your deploy user does not have permission to create a file in /tmp on your server. You may want to have a read through the Authentication and Authorisation Guide - the authorisation section is towards the end.

For now though, I'm going to close this issue as it doesn't look to be caused by a bug within cap, but rather server configuration.

[jfrux]

Okay so, I believe the reason for the Permission denied is that I have a multi-user system and another user has deployed with capistrano3 and it's created git-ssh.sh in /tmp with that user's creds. Now another user trying to deploy capistrano3 cannot edit or delete or override that file due to it being owned by another person.

QUESTION: Is there not a way to configure capistrano3 to deploy to a sub folder of "tmp" so as to not conflict with other user's space? Such as /tmp/<deploy_user>/git-ssh.sh

[jfrux]

Also, all my user's have a tmp directory of their own at ~/tmp/ that could be substituted or used as well... that would be even cleaner...

Would be ideal (in my particular case, which I recognize is not necessarily useful for everyone) if I could define some sort of parameter in my deployment or on the server itself to tell Capistrano to use ~/tmp instead of /tmp

[jfrux]

Another update, I've attempted to solve it by creating a "capistrano" user group and add all the "deploying" users to it and gave that group g+wrx permission on /tmp/git-ssh.sh but then capistrano decides it wants to CHANGE the permissions of the file...

DEBUG Uploading /tmp/git-ssh.sh 0.0%
 INFO Uploading /tmp/git-ssh.sh 100.0%
 INFO [e643f41f] Running /usr/bin/env chmod +x /tmp/git-ssh.sh on mccme-web.msbb.uc.edu
DEBUG [e643f41f] Command: /usr/bin/env chmod +x /tmp/git-ssh.sh
DEBUG [e643f41f]    chmod: changing permissions of `/tmp/git-ssh.sh'
DEBUG [e643f41f]    : Operation not permitted

I mean, I get why it needs it to be owned by the user so that the files that "git" pulls down don't get owned by the root:capistrano but still... just wish I could find an alternative solution.

Back to the drawing board again...

[jfrux]

OOPS! Forgive me... Just noticed this issue: pull request #576 should resolve my issue... DOH

Thanks for your help...

[leehambley]

Joshua, we decided to KISS, so no - but you are doing it right, most people won't deploy with a mutli-user env, but they should. We have no divine wisdom on how this should be solved, but probably the short answer is to generate a tempfile and use that name for each git wrapper script, as they will change between versions of Capistrano and Git, as and when that thing moves, and it's designed to be thrown away, basically. (otherwise we'd put it in the project's deploy_to directory)

We'd be glad of a patch/PR to make it use http://unixhelp.ed.ac.uk/CGI/man-cgi?mktemp or Tempfile to generate a suitably unlikely-to-conflict name for that file?

Lee Hambley

http://lee.hambley.name/ +49 (0) 170 298 5667

On 14 October 2013 14:57, Joshua Rountree notifications@github.com wrote:

Okay so, I believe the reason for the Permission denied is that I have a multi-user system and another user has deployed with capistrano3 and it's created that file in /tmp with that user's creds. Now another user trying to deploy capistrano3 cannot edit or delete or override that file due to it being owned by another person.

Is there not a way to configure capistrano3 to deploy to a sub folder of "tmp" so as to not conflict with other user's space?

— Reply to this email directly or view it on GitHubhttps://github.com/capistrano/capistrano/issues/687#issuecomment-26253256 .

[bbiglari]

the issue might be the /tmp folder in your deployment machine does not have enough permission to run the script, change the folder /tmp folder to something else by set :tmp_dir, "/home/dh_user_name/tmp"

[leehambley]

Additional information, sometimes it's considered security practice to mount /tmp with an option called noexec [1]. It's not universal, which is why we choose /tmp as the storage place for the script, but there's really no harm in setting :tmp_dir to the tmp directory in your application, or to the shared directory, or your deploy user's home directory, wherever really.

[1] http://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/

Lee Hambley

http://lee.hambley.name/ +49 (0) 170 298 5667

On 18 February 2014 19:52, Bahador Biglari notifications@github.com wrote:

the issue might be the /tmp folder in your deployment machine does not have enough permission to run the script, change the folder /tmp folder to something else by set :tmp_dir, "/home/dh_user_name/tmp"

— Reply to this email directly or view it on GitHubhttps://github.com/capistrano/capistrano/issues/687#issuecomment-35419084 .

[slamkajs]

@bbiglari That solution was the fix for me. @joshuairl Thanks for pointing me in the right direction.

[francois-blanchard]

@bbiglari fix my problem. Thx

[jaywilliams]

:thumbsup: @bbiglari!

[tranvictor]

I actually uploaded successfully git-ssh.sh file but still got permission denied.

INFO[a1d77fa2] Running /usr/bin/env mkdir -p /home/deployer/tmp/<PROJ_NAME>/ on <IP-HIDED>
DEBUG[a1d77fa2] Command: /usr/bin/env mkdir -p /home/deployer/tmp/<PROJ_NAME>/
INFO[491f236a] Running /usr/bin/env mkdir -p /home/deployer/tmp/<PROJ_NAME>/ on <IP-HIDED>
DEBUG[491f236a] Command: /usr/bin/env mkdir -p /home/deployer/tmp/<PROJ_NAME>/
INFO[a1d77fa2] Finished in 3.374 seconds with exit status 0 (successful).
INFO[491f236a] Finished in 3.390 seconds with exit status 0 (successful).
DEBUGUploading /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh 0.0%
DEBUGUploading /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh 0.0%
INFOUploading /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh 100.0%
INFO[05677bc0] Running /usr/bin/env chmod +x /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh on <IP-HIDED>
DEBUG[05677bc0] Command: /usr/bin/env chmod +x /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh
INFO[05677bc0] Finished in 0.599 seconds with exit status 0 (successful).
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing on host <IP-HIDED>: scp: /home/deployer/tmp/<PROJ_NAME>/git-ssh.sh: Permission denied

[tranvictor]

Sorry, I figured it out that I didn't use role filters.

[645383]

+1 @bbiglari

[howardroark]

So I am using the same server with two different users for deploying each stage. It seems like the first user creates "/tmp/APPLICATIONNAME/git-ssh.sh" and then the seconds user tries the same and fails.

Is the expectation that I should set tmp_dir for each stage?

[leehambley]

No expectation, if it doesn't work you'll have to change it :) But yes, that variable exists for cases such as this.

Lee Hambley

http://lee.hambley.name/ +49 (0) 170 298 5667

On 6 November 2014 00:02, Howard Roark notifications@github.com wrote:

So I am using the same server with two different users for deploying each stage. It seems like the first user creates "/tmp/APPLICATIONNAME/git-ssh.sh" and then the seconds user tries the same and fails.

Is the expectation that I should set tmp_dir for each stage?

— Reply to this email directly or view it on GitHub https://github.com/capistrano/capistrano/issues/687#issuecomment-61898103 .

[howardroark]

Fair enough ;) Thanks!

[serv]

@bbiglari Thank you! :+1:

[eightyfive]

@bbiglari :+1:

[marcobax]

@bbiglari Thank you, that fixed it !

[xtfer]

@bbiglari Yet another fix. Super.

[stefanosc]

@leehambley I had this issue too (deploying on a multi user server.. ) may I suggest to add details about this issue and the suggestion to use set :tmp_dir at the end of this page http://capistranorb.com/documentation/getting-started/cold-start/ If someone is going through the docs for the first time it could be helpful and save time. I hope this helps!