From: Lucas Werkmeister <mail@lucaswerkmeister.de>
Date: Mon, 27 Mar 2017 20:10:41 +0000 (+0200)
Subject: upd: run git daemon as nobody, not git
X-Git-Url: https://code.wpia.club/?p=infra.git;a=commitdiff_plain;h=201fe35a4016e4e68476b23d741c41f660c76b63

upd: run git daemon as nobody, not git

The git daemon doesn’t require any privileges (assuming the repositories
are world-readable), and the git user owns /gitweb-socket (and possibly
also the repositories). ReadOnlyDirectories=/ should prevent the git
daemon to make any modifications to those directories, but still,
there’s no harm done in locking it down even further.

Change-Id: Ib0209de31d7b556a209bbf89fad47d713ff9aaff
---

diff --git a/modules/gitweb/files/git@.service b/modules/gitweb/files/git@.service
index 84a88c0..851c8e9 100644
--- a/modules/gitweb/files/git@.service
+++ b/modules/gitweb/files/git@.service
@@ -7,7 +7,7 @@ ExecStart=/usr/bin/git daemon --inetd --verbose --export-all --enable=upload-arc
 StandardInput=socket
 StandardOutput=socket
 StandardError=journal
-User=git
+User=nobody
 
 # sandboxing options, see systemd.exec(5)
 NoNewPrivileges=yes