On 6/17/24 00:03, Carl Lei wrote:
What about: create a dedicated "git" user, and run apache as user git? After all when new files are to be created they will have owner=running program, which could be a CGI program launched from apache, or a git program launched from SSH. If these are two different users it'll likely become a mess.
Thank your Carl, that is a thought, but one of last resort. I have a LOT of things served by Apache, eGroupware, Nextcloud, several custom authentication frontends to MariaDB and Postgres, and probably more I'm just not recalling at the moment. With the whole environment built about http:http as user/group, I'm going to exhaust efforts to keep the default Arch setup, otherwise that will add significant changes. I opened a thread on the git kernel mailing list at git@vger.kernel.org named: "Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1". They are aware of issues, just not sure where they could have come into the CVE backport process. We will see where it goes.... The whole "Dubious Ownership" approach to denying push/pull and even clone seems like an odd way tighten security. I'll pass along any solution I get so the information can be added teeeeeeeeo the https://wiki.archlinux.org/title/Git_server page. Thanks again. -- David C. Rankin, J.D.,P.E.