From 201fe35a4016e4e68476b23d741c41f660c76b63 Mon Sep 17 00:00:00 2001 From: Lucas Werkmeister Date: Mon, 27 Mar 2017 22:10:41 +0200 Subject: [PATCH] upd: run git daemon as nobody, not git MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The git daemon doesn’t require any privileges (assuming the repositories are world-readable), and the git user owns /gitweb-socket (and possibly also the repositories). ReadOnlyDirectories=/ should prevent the git daemon to make any modifications to those directories, but still, there’s no harm done in locking it down even further. Change-Id: Ib0209de31d7b556a209bbf89fad47d713ff9aaff --- modules/gitweb/files/git@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gitweb/files/git@.service b/modules/gitweb/files/git@.service index 84a88c0..851c8e9 100644 --- a/modules/gitweb/files/git@.service +++ b/modules/gitweb/files/git@.service @@ -7,7 +7,7 @@ ExecStart=/usr/bin/git daemon --inetd --verbose --export-all --enable=upload-arc StandardInput=socket StandardOutput=socket StandardError=journal -User=git +User=nobody # sandboxing options, see systemd.exec(5) NoNewPrivileges=yes -- 2.39.5