diff options
| author | Linnnus <[email protected]> | 2024-07-31 17:43:37 +0200 |
|---|---|---|
| committer | Linnnus <[email protected]> | 2024-07-31 17:53:46 +0200 |
| commit | 067aa5baf419711eb24c5f4081c692f15c5fec47 (patch) | |
| tree | 07393217a43c95ad970b5ad3e7b9a67d11095f5b /overlays/default.nix | |
| parent | c8b64a7f95bb3e6074fb36127b843e7879fbd8c4 (diff) | |
ahmed: Fix Git clone
CGit farms out the handling of the HTTP requests sent by the Git CLI to
another CGI script. This script was failing because of "dubious
ownership". This is a security check run by Git to ensure malicious
repositories on network drives don't get arbitrary code execution. The
problem is: the CGI script was running as root, as that is what the
fcgiwrap systemd service was configured for, but the repository is owned
by the 'git' user.
Since I trust the repositories, I had to patch Git to ignore this mark.
Actually getting the NixOS CGit module to use the patched version of Git
proved rather difficult...
In the future I should probably
a) Make sure fcgiwrap isn't running as root since it directly interacts
with all sorts of untrusted user input.
b) Remove this ugly hack. There's a reason for the security check after
all. Just because it matters _less_ in this case doesn't mean it's
wise to ignore it completely.
Diffstat (limited to 'overlays/default.nix')
0 files changed, 0 insertions, 0 deletions