Ref T2230. When fully set up, we have up to three users who all need to write into the repositories:
- The webserver needs to write for HTTP receives.
- The SSH user needs to write for SSH receives.
- The daemons need to write for "git fetch", "git clone", etc.
These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com".
Using three different users also allows better privilege separation. Particularly, the daemon user can be the only user with write access to the repositories. The webserver and SSH user can accomplish their writes through sudo, with a whitelisted set of commands. This means that even if you compromise the ssh user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks.
This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use sudo to interact with repositories. Some future work which might make sense:
- Make bin/phd respect this (require start as the right user, or as root and drop privileges, if this configuration is set).
- Execute all git/hg/svn commands via sudo?
Users aren't expected to configure this yet so I haven't written any documentation.