Fix sshd_config and cgit permissions

- Remove unsupported UsePAM option from sshd_config - Run cgit as root to allow cache directory initialization - Add CHOWN and DAC_OVERRIDE capabilities for cgit
author: Paul Buetow <paul@buetow.org> 2026-01-09 11:11:58 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-09 11:11:58 +0200
commit: 36b631ff8f1fb454164f448bfd0cd0e8707bb6af (patch)
tree: e58a5f6dd5da2ad7f30c6a986576f6f53fe20107 /f3s/git-server
parent: 5cbeb2bb335c2363bc7d7706dbf6120c8ca5fa82 (diff)
2 files changed, 3 insertions, 5 deletions
diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config
index e49c5bb..7e899e0 100644
--- a/f3s/git-server/docker-image/sshd_config
+++ b/f3s/git-server/docker-image/sshd_config
@@ -16,7 +16,6 @@ PubkeyAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
-UsePAM no
 
 # Restrict to git user only
 AllowUsers git
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index a3f4568..0446725 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -71,13 +71,12 @@ spec:
         - name: cgit-cache
           mountPath: /var/cache/cgit
         securityContext:
-          runAsUser: 33
-          runAsGroup: 33
-          runAsNonRoot: true
+          runAsUser: 0
+          runAsGroup: 0
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
-            add: ["NET_BIND_SERVICE"]
+            add: ["NET_BIND_SERVICE", "CHOWN", "DAC_OVERRIDE"]
         resources:
           requests:
             cpu: 50m
author	Paul Buetow <paul@buetow.org>	2026-01-09 11:11:58 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-09 11:11:58 +0200
commit	36b631ff8f1fb454164f448bfd0cd0e8707bb6af (patch)
tree	e58a5f6dd5da2ad7f30c6a986576f6f53fe20107 /f3s/git-server
parent	5cbeb2bb335c2363bc7d7706dbf6120c8ca5fa82 (diff)