diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-09 20:54:56 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-09 20:54:56 +0200 |
| commit | c45d171de3a3ff27816edeed7d9758c9bea231d8 (patch) | |
| tree | a551d8ca5f7866fa2e64090485678c5efc377c24 /f3s/git-server/docker-image | |
| parent | d238b13e4f644a3ccdb6c18ce54767a50db8b39e (diff) | |
Use proper security contexts for NFS access without chown
Changes:
- Set fsGroup: 33 at pod level for proper NFS group access
- Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership
- Run git-server container as UID 1001:33 (non-root)
- Run cgit container as UID 33:33 (non-root)
- Disabled SSH privilege separation (UsePrivilegeSeparation no)
- Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT)
This follows the same pattern as filebrowser and webdav services,
using security contexts instead of chown operations on NFS.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Diffstat (limited to 'f3s/git-server/docker-image')
| -rw-r--r-- | f3s/git-server/docker-image/Dockerfile | 8 | ||||
| -rw-r--r-- | f3s/git-server/docker-image/sshd_config | 7 |
2 files changed, 12 insertions, 3 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile index 5b703c0..97c4c7f 100644 --- a/f3s/git-server/docker-image/Dockerfile +++ b/f3s/git-server/docker-image/Dockerfile @@ -3,11 +3,13 @@ FROM alpine:3.19 # Install OpenSSH server and git RUN apk add --no-cache openssh git -# Create git user with UID 1000 and set git-shell as login shell +# Create git user with UID 1001, GID 33 (www-data) and set git-shell as login shell +# UID 1001 and GID 33 match the NFS file ownership # This restricts the user to git operations only -RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \ +# GID 33 is the existing www-data group in Alpine +RUN adduser -D -u 1001 -G www-data -s /usr/bin/git-shell git && \ mkdir -p /home/git/.ssh /repos && \ - chown -R git:git /home/git /repos && \ + chown -R git:www-data /home/git /repos && \ echo "/usr/bin/git-shell" >> /etc/shells && \ passwd -u git diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config index 7e899e0..783f31b 100644 --- a/f3s/git-server/docker-image/sshd_config +++ b/f3s/git-server/docker-image/sshd_config @@ -1,11 +1,15 @@ # SSH Server Configuration for Git Server # Security-hardened configuration for git-only access +# Runs as non-root user (git) with privilege separation disabled # Network Port 22 AddressFamily any ListenAddress 0.0.0.0 +# Run without privilege separation (required for non-root) +UsePrivilegeSeparation no + # Host Keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key @@ -32,3 +36,6 @@ LogLevel INFO # Performance UseDNS no + +# PID file location (writable by non-root) +PidFile /tmp/sshd.pid |