On 6/17/24 00:03, Carl Lei wrote:
What about: create a dedicated "git" user, and run apache as user git?
After all when new files are to be created they will have owner=running
program, which could be a CGI program launched from apache, or a git
program launched from SSH. If these are two different users it'll
likely become a mess.
Thank your Carl, that is a thought, but one of last resort. I have a LOT of
things served by Apache, eGroupware, Nextcloud, several custom authentication
frontends to MariaDB and Postgres, and probably more I'm just not recalling at
the moment.
With the whole environment built about http:http as user/group, I'm going
to exhaust efforts to keep the default Arch setup, otherwise that will add
significant changes.
I opened a thread on the git kernel mailing list at git@xxxxxxxxxxxxxxx named:
"Local git server can't serve https until repos owned by http, can't serve ssh
unless repos owned by user after 2.45.1".
They are aware of issues, just not sure where they could have come into the
CVE backport process. We will see where it goes....
The whole "Dubious Ownership" approach to denying push/pull and even clone
seems like an odd way tighten security. I'll pass along any solution I get so
the information can be added teeeeeeeeo the
https://wiki.archlinux.org/title/Git_server page.
Thanks again.
--
David C. Rankin, J.D.,P.E.
