From 13d2c150748c713a51d972dbf44ba0a000fda0f8 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 18:38:19 +0100 Subject: [PATCH] fix(desudo): de-sudo config scan so the manager runtime loads CFG scan_files used 'sudo find' to enumerate config files to source. Under the scoped sudoers that's denied, so NO configs got sourced -> CFG_DOCKER_INSTALL_TYPE ended up empty -> runFileOp/runFileWrite fell back to the manager branch and every container-path write failed. Root cause of the 'sudo: a password is required' + 'tee: Permission denied' storm when running under the scoped grant. - configs/ scan (manager-owned): plain find - app_configs scan (/docker/containers, docker-install-owned, not list-readable by the manager): runFileOp find (enumerate as that user; manager still sources each .config, which is o+r). 'containers' install templates stay plain find. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- scripts/checks/requirements/check_docker_rootless.sh | 2 +- scripts/source/loading/scan_files.sh | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/scripts/checks/requirements/check_docker_rootless.sh b/scripts/checks/requirements/check_docker_rootless.sh index e7e2f7c..fd31a98 100755 --- a/scripts/checks/requirements/check_docker_rootless.sh +++ b/scripts/checks/requirements/check_docker_rootless.sh @@ -4,7 +4,7 @@ checkDockerRootlessRequirement() { if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then ### Docker Rootless - if runSystem grep -q "ROOTLESS" $sysctl; then + if grep -q "ROOTLESS" $sysctl; then isSuccessful "Docker Rootless appears to be installed." else isNotice "Docker Rootless does not appear to be installed." diff --git a/scripts/source/loading/scan_files.sh b/scripts/source/loading/scan_files.sh index bfa42fe..9643c24 100755 --- a/scripts/source/loading/scan_files.sh +++ b/scripts/source/loading/scan_files.sh @@ -26,7 +26,7 @@ sourceScanFiles() # echo "$load_type NEW FILE $file" fi fi - done < <(sudo find "$folder_dir" -maxdepth 2 -type f ! -name "*.category" ! -name "config_*" ! -name ".*" -print0) + done < <(find "$folder_dir" -maxdepth 2 -type f ! -name "*.category" ! -name "config_*" ! -name ".*" -print0) # Per-location backup configs live nested at depth 3 # (configs/backup/locations//location.config) — source them via @@ -48,14 +48,20 @@ sourceScanFiles() echo "Invalid load type: $load_type" fi - # Scanning function for other types (not libreportal_configs) + # Scanning function for other types (not libreportal_configs). + # app_configs live under /docker/containers (owned by the docker install user + # and not list-readable by the manager), so enumerate them AS that user via + # runFileOp; the manager still sources each (the .config files are o+r). The + # 'containers' install templates are manager-owned, so a plain find suffices. if [ "$load_type" != "libreportal_configs" ]; then + local scan_op="" + [[ "$load_type" == "app_configs" ]] && scan_op="runFileOp" while IFS= read -r -d '' file; do if [ -f "$file" ]; then source "$file" # echo "$load_type FILE $file" fi - done < <(sudo find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0) + done < <($scan_op find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0) fi # Load the categories from the file into an array