...
- Do not allow custom hook scripts for repositories accessible by the daemons--no "snap" accounts with write access to the hooks directories of such repositories.
- Develop machinery to make custom hook scripts execute as the committing user.
- Accept a weak security model where users can gain access to other user's repositories with enough effort.
The third option is probably not acceptable to us, particularly after we add support for non-Kerberos users, but it's worth noting that web hosting has a similar security issue and most web hosting providers have taken the third approach.