|
CGit farms out the handling of the HTTP requests sent by the Git CLI to
another CGI script. This script was failing because of "dubious
ownership". This is a security check run by Git to ensure malicious
repositories on network drives don't get arbitrary code execution. The
problem is: the CGI script was running as root, as that is what the
fcgiwrap systemd service was configured for, but the repository is owned
by the 'git' user.
Since I trust the repositories, I had to patch Git to ignore this mark.
Actually getting the NixOS CGit module to use the patched version of Git
proved rather difficult...
In the future I should probably
a) Make sure fcgiwrap isn't running as root since it directly interacts
with all sorts of untrusted user input.
b) Remove this ugly hack. There's a reason for the security check after
all. Just because it matters _less_ in this case doesn't mean it's
wise to ignore it completely.
|
