From 4430edc40e40162985d9d1b1142f36f37ddf7175 Mon Sep 17 00:00:00 2001 From: librelad Date: Tue, 26 May 2026 17:48:00 +0100 Subject: [PATCH] fix(apps): de-sudo the remaining per-app .sh file ops via runFileOp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sweep of every containers//.sh after the install-side fix that went into config_file_setup_data.sh — these were the same class of bug: bare `sudo sed -i` / `sudo docker exec` calls left over from when the manager carried NOPASSWD:ALL. After the rootless+de-sudo hardening (Model A, sudoers scoped to LP_HELPERS + LP_SYSTEM only) those calls fail at runtime, so every per-app routine that uses one would refuse on install or in its post-install tweak step. Each call routes through the existing `runFileOp` shim, which picks the right path per CFG_DOCKER_INSTALL_TYPE (dockerinstall in rootless, manager in rootful) — same pattern setup_dns.sh / authelia.sh / config_file_setup_data.sh already use. Fixed: gitea.sh:65 — sync GITEA_METRICS_TOKEN into prometheus-scrape.yml owncloud.sh:88 — fill OWNCLOUD_SETUP_* in the setup-webform html searxng.sh:87 — flip simple_style: auto → CFG_SEARXNG_THEME trilium.sh:89 — rewrite trilium-data/config.ini port= bookstack.sh:139 — bookstack:create-admin via `docker exec` bookstack.sh:148 — admin@admin.com cleanup via `docker exec ... tinker` `bash -n` clean on every touched file. Untested live (none of these apps are installed on the verify VM) but mechanically equivalent to the already-validated config_file_setup_data.sh fix. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- containers/bookstack/bookstack.sh | 4 ++-- containers/gitea/gitea.sh | 4 ++-- containers/owncloud/owncloud.sh | 2 +- containers/searxng/searxng.sh | 2 +- containers/trilium/trilium.sh | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/containers/bookstack/bookstack.sh b/containers/bookstack/bookstack.sh index eafd58e..6812fc0 100755 --- a/containers/bookstack/bookstack.sh +++ b/containers/bookstack/bookstack.sh @@ -136,7 +136,7 @@ installBookstack() else isSuccessful "Bookstack is online (HTTP ${bookstack_http_code})." - bookstack_create_output=$(sudo docker exec \ + bookstack_create_output=$(runFileOp docker exec \ -e EZ_BS_NEW_EMAIL="$bookstack_target_email" \ -e EZ_BS_NEW_PASS="$bookstack_target_pass" \ bookstack sh -c 'cd /app/www && s6-setuidgid abc php artisan bookstack:create-admin --no-ansi --email="$EZ_BS_NEW_EMAIL" --name=Admin --password="$EZ_BS_NEW_PASS" 2>&1') @@ -145,7 +145,7 @@ installBookstack() isSuccessful "Bookstack admin account created (email: $bookstack_target_email)." if [[ "$bookstack_target_email" != "admin@admin.com" ]]; then - sudo docker exec -i bookstack php /app/www/artisan tinker --no-ansi >/dev/null 2>&1 <<'PHP' + runFileOp docker exec -i bookstack php /app/www/artisan tinker --no-ansi >/dev/null 2>&1 <<'PHP' $c = class_exists('\BookStack\Users\Models\User') ? '\BookStack\Users\Models\User' : '\BookStack\Auth\User'; optional($c::where('email', 'admin@admin.com')->first())->delete(); PHP diff --git a/containers/gitea/gitea.sh b/containers/gitea/gitea.sh index c47864c..7339bc8 100755 --- a/containers/gitea/gitea.sh +++ b/containers/gitea/gitea.sh @@ -62,8 +62,8 @@ installGitea() # that same value into the Prometheus scrape fragment so the two agree. if monitoringAppEnabled "$app_name"; then if [[ -n "$CFG_GITEA_METRICS_TOKEN" ]]; then - sudo sed -i "s|GITEA_METRICS_TOKEN_PLACEHOLDER|${CFG_GITEA_METRICS_TOKEN}|g" \ - "$containers_dir$app_name/resources/monitoring/prometheus-scrape.yml" + local result=$(runFileOp sed -i "s|GITEA_METRICS_TOKEN_PLACEHOLDER|${CFG_GITEA_METRICS_TOKEN}|g" \ + "$containers_dir$app_name/resources/monitoring/prometheus-scrape.yml") checkSuccess "Synced Gitea /metrics token to the Prometheus scrape config" else isNotice "CFG_GITEA_METRICS_TOKEN is empty — Gitea /metrics scrape may 401." diff --git a/containers/owncloud/owncloud.sh b/containers/owncloud/owncloud.sh index 32f3067..e931ac7 100755 --- a/containers/owncloud/owncloud.sh +++ b/containers/owncloud/owncloud.sh @@ -85,7 +85,7 @@ installOwncloud() isNotice "Failed to retrieve the web page." fi - local result=$(sudo sed -i \ + local result=$(runFileOp sed -i \ -e "s|OWNCLOUD_SETUP_VERSION|$owncloud_version|g" \ -e "s|OWNCLOUD_SETUP_ADMIN_USERNAME|$CFG_OWNCLOUD_ADMIN_USERNAME|g" \ -e "s|OWNCLOUD_SETUP_ADMIN_PASSWORD|$CFG_OWNCLOUD_ADMIN_PASSWORD|g" \ diff --git a/containers/searxng/searxng.sh b/containers/searxng/searxng.sh index 39281d4..0876f2f 100755 --- a/containers/searxng/searxng.sh +++ b/containers/searxng/searxng.sh @@ -84,7 +84,7 @@ installSearxng() # Check if the file was found or if we timed out if [ -f "$containers_dir$app_name/searxng-data/settings.yml" ]; then # Perform the required operation on the file once it exists - local result=$(sudo sed -i "s/simple_style: auto/simple_style: $CFG_SEARXNG_THEME/" "$containers_dir$app_name/searxng-data/settings.yml") + local result=$(runFileOp sed -i "s/simple_style: auto/simple_style: $CFG_SEARXNG_THEME/" "$containers_dir$app_name/searxng-data/settings.yml") checkSuccess "Changing from light mode to dark mode to avoid eye strain installs" dockerComposeRestart $app_name; diff --git a/containers/trilium/trilium.sh b/containers/trilium/trilium.sh index 1b74108..888cfd3 100755 --- a/containers/trilium/trilium.sh +++ b/containers/trilium/trilium.sh @@ -86,7 +86,7 @@ installTrilium() local trilium_counter=$((trilium_counter + 1)) done - result=$(sudo sed -i "s|port=8080|port=$usedport1|g" "$containers_dir$app_name/trilium-data/config.ini") + result=$(runFileOp sed -i "s|port=8080|port=$usedport1|g" "$containers_dir$app_name/trilium-data/config.ini") checkSuccess "Configured $app_name from default 8080 to $usedport1" dockerComposeRestart $app_name;