upd: run git daemon as nobody, not git

The git daemon doesn’t require any privileges (assuming the repositories
are world-readable), and the git user owns /gitweb-socket (and possibly
also the repositories). ReadOnlyDirectories=/ should prevent the git
daemon to make any modifications to those directories, but still,
there’s no harm done in locking it down even further.

Change-Id: Ib0209de31d7b556a209bbf89fad47d713ff9aaff

diff --git a/modules/gitweb/files/git@.service b/modules/gitweb/files/git@.service
index 84a88c0226b223af8417e9b5b5e58e819c6e0606..851c8e9d8816d369d0f62481f88c92056c81e8bf 100644 (file)
--- a/modules/gitweb/files/git@.service
+++ b/modules/gitweb/files/git@.service
@@ -7,7 +7,7 @@ ExecStart=/usr/bin/git daemon --inetd --verbose --export-all --enable=upload-arc
 StandardInput=socket
 StandardOutput=socket
 StandardError=journal
-User=git
+User=nobody
 
 # sandboxing options, see systemd.exec(5)
 NoNewPrivileges=yes