The git daemon doesn’t require any privileges (assuming the repositories
are world-readable), and the git user owns /gitweb-socket (and possibly
also the repositories). ReadOnlyDirectories=/ should prevent the git
daemon to make any modifications to those directories, but still,
there’s no harm done in locking it down even further.
Change-Id: Ib0209de31d7b556a209bbf89fad47d713ff9aaff
StandardInput=socket
StandardOutput=socket
StandardError=journal
-User=git
+User=nobody
# sandboxing options, see systemd.exec(5)
NoNewPrivileges=yes