From 36b631ff8f1fb454164f448bfd0cd0e8707bb6af Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 9 Jan 2026 11:11:58 +0200 Subject: Fix sshd_config and cgit permissions - Remove unsupported UsePAM option from sshd_config - Run cgit as root to allow cache directory initialization - Add CHOWN and DAC_OVERRIDE capabilities for cgit --- f3s/git-server/docker-image/sshd_config | 1 - f3s/git-server/helm-chart/templates/deployment.yaml | 7 +++---- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'f3s/git-server') diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config index e49c5bb..7e899e0 100644 --- a/f3s/git-server/docker-image/sshd_config +++ b/f3s/git-server/docker-image/sshd_config @@ -16,7 +16,6 @@ PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no -UsePAM no # Restrict to git user only AllowUsers git diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index a3f4568..0446725 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -71,13 +71,12 @@ spec: - name: cgit-cache mountPath: /var/cache/cgit securityContext: - runAsUser: 33 - runAsGroup: 33 - runAsNonRoot: true + runAsUser: 0 + runAsGroup: 0 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] - add: ["NET_BIND_SERVICE"] + add: ["NET_BIND_SERVICE", "CHOWN", "DAC_OVERRIDE"] resources: requests: cpu: 50m -- cgit v1.2.3