From 60cf4ea476c0046079365555aadf93f70c030e46 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Fri, 6 Sep 2024 07:38:10 +0200 Subject: fix(git-server/cgit): Don't run `cgit` as `root` use `git` instead This option was newly added, as previously only on `fcgiwrap` instance was run as root. We probably have not been affected by this, as our `fcgiwrap` instance was already running as `git:nginx`. Usage of the new options seems better either way, as they provide a finer grained control over the user _each_ `fcgiwrap`ped service is running at. The security advisory: https://discourse.nixos.org/t/51419 --- modules/nixos/vhack/git-server/default.nix | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'modules/nixos/vhack') diff --git a/modules/nixos/vhack/git-server/default.nix b/modules/nixos/vhack/git-server/default.nix index 610c6e7..5c25bd7 100644 --- a/modules/nixos/vhack/git-server/default.nix +++ b/modules/nixos/vhack/git-server/default.nix @@ -57,14 +57,6 @@ in { vhack.nginx.enable = true; services = { - fcgiwrap = { - # NOTE: This is needed as `cgit` otherwise fails to run `git` commands in the git - # repositories (for example, when cloning a repository over http). <2024-08-02> - # FIXME: Is there a way to not run _all_ wrapped cgi things as `git`? <2024-08-02> - user = "git"; - group = "nginx"; - }; - gitolite = { inherit (cfg.gitolite) adminPubkey; enable = true; @@ -90,6 +82,8 @@ in { enable = true; package = pkgs.cgit-pink; scanPath = "${config.services.gitolite.dataDir}/repositories"; + user = "git"; + group = "git"; settings = { branch-sort = "age"; -- cgit 1.4.1