On Wed, Dec 12, 2018 at 08:11:14PM +0100, Marco Pessotto wrote:
this is going to be a dumb question, but are there major concerns about running CGit with the same user owning the repository? Ok, not super-optimal, but is that acceptable?
It's generally not something I'd advise. Of course, CGit does its best to remain secure and should not perform any write operations on the git repositories it serves. However, this means your defenses are 1 layer deep. If a sufficiently bad bug in CGit is found, your repositories are now exposed to tampering.
It's best practice not to create systems protected by only one layer of defense, because bugs and deployment mistakes will inevitably result in security incidents given a long enough period of time. Adding extra protection such as different systems users for writing and reading will help you hedge against such problems.
-K _______________________________________________ CGit mailing list CGit@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/cgit
