On Sat, Jan 17, 2026 at 12:19:36AM +0100, Sylvain Saboua wrote:
> On 2026-01-16 23:57, Sylvain Saboua wrote:
> > Problem solved ! I forgot to fix the permissions when tinkering with the
> > hierarchy of my repertoires.
> > Would you please tell me if this looks reasonable :
> 
> nvm, I did as you advised in a previous email :
> https://marc.info/?l=gameoftrees&m=176544472821318&w=2
> 
>  $ cd /home/git
>  $ doas chown -R _gotd:_gotwebd .
>  $ doas chmod 750 . *
> 
> Seems to work all round now, although I'm curious as per the 'correct'
> permissions, if any (?)

Ideally, only _gotd is allowed to read/write repositories, and nobody else
is allowed to even read them.
Otherwise, if we set a 'deny' rule in /etc/gotd.conf for a user which uses
a regular shell rather than gotsh, this user might still be able to directly
access repositories on disk anyway, bypassing the 'deny' access rule.

Allowing _gotwebd to read repositories is fine if you intend to run
gotwebd. Otherwise this is not needed. Similar permit/deny rules can be
set for other users in /etc/gotwebd.conf, allowing or denying read access.