Use proper security contexts for NFS access without chown

Changes: - Set fsGroup: 33 at pod level for proper NFS group access - Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership - Run git-server container as UID 1001:33 (non-root) - Run cgit container as UID 33:33 (non-root) - Disabled SSH privilege separation (UsePrivilegeSeparation no) - Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT) This follows the same pattern as filebrowser and webdav services, using security contexts instead of chown operations on NFS. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-01-09 20:54:56 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-09 20:54:56 +0200
commit: c45d171de3a3ff27816edeed7d9758c9bea231d8 (patch)
tree: a551d8ca5f7866fa2e64090485678c5efc377c24
parent: d238b13e4f644a3ccdb6c18ce54767a50db8b39e (diff)
3 files changed, 22 insertions, 11 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 5b703c0..97c4c7f 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -3,11 +3,13 @@ FROM alpine:3.19
 # Install OpenSSH server and git
 RUN apk add --no-cache openssh git
 
-# Create git user with UID 1000 and set git-shell as login shell
+# Create git user with UID 1001, GID 33 (www-data) and set git-shell as login shell
+# UID 1001 and GID 33 match the NFS file ownership
 # This restricts the user to git operations only
-RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
+# GID 33 is the existing www-data group in Alpine
+RUN adduser -D -u 1001 -G www-data -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
-    chown -R git:git /home/git /repos && \
+    chown -R git:www-data /home/git /repos && \
     echo "/usr/bin/git-shell" >> /etc/shells && \
     passwd -u git
 
diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config
index 7e899e0..783f31b 100644
--- a/f3s/git-server/docker-image/sshd_config
+++ b/f3s/git-server/docker-image/sshd_config
@@ -1,11 +1,15 @@
 # SSH Server Configuration for Git Server
 # Security-hardened configuration for git-only access
+# Runs as non-root user (git) with privilege separation disabled
 
 # Network
 Port 22
 AddressFamily any
 ListenAddress 0.0.0.0
 
+# Run without privilege separation (required for non-root)
+UsePrivilegeSeparation no
+
 # Host Keys
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -32,3 +36,6 @@ LogLevel INFO
 
 # Performance
 UseDNS no
+
+# PID file location (writable by non-root)
+PidFile /tmp/sshd.pid
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 7a7ed57..f5ded3a 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -15,6 +15,8 @@ spec:
       labels:
         app: git-server
     spec:
+      securityContext:
+        fsGroup: 33
       initContainers:
       - name: setup
         image: alpine:3.19
@@ -27,8 +29,9 @@ spec:
           chown -R 0:0 /ssh-init
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
+          # UID 1001 and GID 33 match the NFS file ownership
           cp /ssh-keys-secret/authorized_keys /ssh-git/authorized_keys
-          chown -R 1000:1000 /ssh-git
+          chown -R 1001:33 /ssh-git
           chmod 755 /ssh-git
           chmod 644 /ssh-git/authorized_keys
         volumeMounts:
@@ -57,12 +60,11 @@ spec:
         - name: ssh-host-keys
           mountPath: /etc/ssh
         securityContext:
-          runAsUser: 0
-          runAsGroup: 0
+          runAsUser: 1001
+          runAsGroup: 33
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
-            add: ["SYS_CHROOT", "SETGID", "SETUID"]
         resources:
           requests:
             cpu: 50m
@@ -77,9 +79,9 @@ spec:
         command: ["/bin/sh", "-c"]
         args:
         - |
-          # Remove 'user nginx;' directive to avoid setgid errors when running as root
+          # Remove 'user nginx;' directive to avoid setgid errors
           sed -i 's/^user nginx;//' /etc/nginx/nginx.conf
-          # Start fcgiwrap and set socket permissions for nginx user
+          # Start fcgiwrap and set socket permissions
           spawn-fcgi -s /var/run/fcgiwrap.sock -n -- /usr/bin/fcgiwrap &
           sleep 1
           chmod 666 /var/run/fcgiwrap.sock
@@ -104,8 +106,8 @@ spec:
           subPath: cgitrc
           readOnly: true
         securityContext:
-          runAsUser: 0
-          runAsGroup: 0
+          runAsUser: 33
+          runAsGroup: 33
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
author	Paul Buetow <paul@buetow.org>	2026-01-09 20:54:56 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-09 20:54:56 +0200
commit	c45d171de3a3ff27816edeed7d9758c9bea231d8 (patch)
tree	a551d8ca5f7866fa2e64090485678c5efc377c24
parent	d238b13e4f644a3ccdb6c18ce54767a50db8b39e (diff)