I've setup a script to do Subversion updates across two servers - the localhost and a remote server - called by a post-commit hook run by the www-data user.

/srv/svn/mysite/hooks/post-commit contains:

sudo -u cli /usr/local/bin/svn_deploy

/usr/local/bin/svn_deploy is owned by the cli user, and contains:

#!/bin/sh

svn update /srv/www/mysite
ssh cli@remotehost 'svn update /srv/www/mysite'

To get this to work I've had to add the following to the sudoers file:

www-data ALL = (cli) NOPASSWD: /usr/local/bin/svn_deploy
cli ALL = NOEXEC:NOPASSWD: /usr/local/bin/svn_deploy

Entries for both www-data and cli were necessary to avoid the error:

post commit hook failed: no tty present and no askpass program specified

I'm wary of giving any kind of elevated rights to www-data. Is there anything else I should be doing to reduce or eliminate any security risk?