2 files changed, 12 insertions, 3 deletions

diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 5b703c0..97c4c7f 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -3,11 +3,13 @@ FROM alpine:3.19
 # Install OpenSSH server and git
 RUN apk add --no-cache openssh git
 
-# Create git user with UID 1000 and set git-shell as login shell
+# Create git user with UID 1001, GID 33 (www-data) and set git-shell as login shell
+# UID 1001 and GID 33 match the NFS file ownership
 # This restricts the user to git operations only
-RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
+# GID 33 is the existing www-data group in Alpine
+RUN adduser -D -u 1001 -G www-data -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
-    chown -R git:git /home/git /repos && \
+    chown -R git:www-data /home/git /repos && \
     echo "/usr/bin/git-shell" >> /etc/shells && \
     passwd -u git
 
diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config
index 7e899e0..783f31b 100644
--- a/f3s/git-server/docker-image/sshd_config
+++ b/f3s/git-server/docker-image/sshd_config
@@ -1,11 +1,15 @@
 # SSH Server Configuration for Git Server
 # Security-hardened configuration for git-only access
+# Runs as non-root user (git) with privilege separation disabled
 
 # Network
 Port 22
 AddressFamily any
 ListenAddress 0.0.0.0
 
+# Run without privilege separation (required for non-root)
+UsePrivilegeSeparation no
+
 # Host Keys
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -32,3 +36,6 @@ LogLevel INFO
 
 # Performance
 UseDNS no
+
+# PID file location (writable by non-root)
+PidFile /tmp/sshd.pid