寻找运行php git post-receive hook的安全方法

I have a hook which executes a git pull but it fails when it needs to write added files. The user it operates as is apache, and it can execute the git pull fine when write permissions are granted to it (via adding apache to a group with write access).

I have come up with a few solutions...

• keeping apache in the group with write permissions (feels insecure)
• changing ownership of the files to apache (insecure and hacky)
• using sudo (but that would require storing a password or having no password)
• executing a chmod adding write for apache before and after the git pull's execution (hacky)

However, all of these seem like either insecure/hacky solutions.

Please share any suggestions or methods you have used to get around these problems. I am curious to hear any solution, especially if you've had to jump this hurdle yourself.

Another solution (possibly old-school) is to create a setuid program to perform the actual work, then run that setuid program from the hook.

If you are running with SELinux, you may need to tweak the permissions to get the setuid program to run from the hook, given that the hook runs as the Apache user.