On Tue, Jun 4, 2024 at 7:24 PM Sam Varshavchik mrsam@courier-mta.com wrote:
So I was tearing my hair out trying to figure out why attempts to push via DAV to a git repo were failing.
Eventually I succeeded in stracing the httpd process sto capture the request. It was getting an EROFS when it tried to write to the git repo.
Amusing.
To make a long story short, the culprit was:
ProtectHome=read-only
in /lib/systemd/system/httpd.service,(the git repo was in a directory inside a mounted /home partition).
I tried using
systemctl edit httpd
And putting this in there:
[Service] ProtectHome=
However this apparently did not work. I threw in the towel and just edited /lib/systemd/system/httpd.service and commented this setting out, entirely, to finally fix this issue, and happy git pushing resumed.
But how do I fix this so that the next apache update doesn't clobber this?
I think a better choice is to leave the systemd unit files alone. Then you don't have to worry about your changes getting reverted on updates and system upgrades.
I also think it is better to avoid serving files from your home directory. Instead, use /var. Install your Git-managed project in /var/git (and your Subversion projects in /var/svn). Add a git user, and make ownership of /var/git as root:git. Finally, change the server's document root to /var/git/<project>.
This setup works well for me. The only problem I have encountered is Git's fix for CVE-2022-24765 a/k/a safe directories. Safe directories caused a big DoS at my site. Also see https://github.com/git/git/commit/8959555cee7e.
Jeff