feat(privilege): mode-aware privileged-op helper
Single place that decides how a privileged op runs by Docker mode: - runFileOp / runFileWrite: /docker data-plane ops — rooted uses sudo (identical to today), rootless runs as the unprivileged install user (no root). - runSystem: genuine system-admin ops, sudo in both modes, funnelled here so it can later be confined to a scoped sudoers allowlist. Call sites converted to these are byte-for-byte unchanged under rooted, so existing/live boxes can't regress; rootless gets the de-privileged path. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
14efcc579b
commit
5c928fe9c0
46
scripts/docker/command/run_privileged.sh
Normal file
46
scripts/docker/command/run_privileged.sh
Normal file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Mode-aware privileged operations.
|
||||
#
|
||||
# The privilege a file operation needs depends on the Docker mode:
|
||||
# rooted — app/container files under /docker are root-owned, so ops run via
|
||||
# sudo. This is byte-for-byte the historical behaviour.
|
||||
# rootless — those files are owned by the unprivileged Docker install user, so
|
||||
# ops run AS that user over the existing SSH channel and need no
|
||||
# root at all.
|
||||
# Centralising the branch here means each call site is written once and is
|
||||
# correct in both modes, and rooted installs (incl. live boxes) are unchanged.
|
||||
|
||||
# Run a /docker data-plane command — mkdir/chown/rm/cp/mv/find/sqlite3/etc. on
|
||||
# app or container files.
|
||||
# rooted -> sudo <cmd>
|
||||
# rootless -> run <cmd> as the Docker install user (no sudo)
|
||||
# Note: for stdin-fed writes (e.g. `… | sudo tee file`) use runFileWrite below;
|
||||
# this helper is for self-contained commands.
|
||||
runFileOp() {
|
||||
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
||||
dockerCommandRunInstallUser "$*"
|
||||
else
|
||||
sudo "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Write stdin to a path with the right privilege (replaces `… | sudo tee path`).
|
||||
# rooted -> sudo tee
|
||||
# rootless -> tee as the Docker install user
|
||||
# Usage: some_command | runFileWrite /path/to/file
|
||||
runFileWrite() {
|
||||
local dest="$1"
|
||||
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
||||
dockerCommandRunInstallUser "tee '$dest' >/dev/null"
|
||||
else
|
||||
sudo tee "$dest" >/dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
# Genuine system-administration command (ufw/systemctl/apt/sysctl/useradd, /etc
|
||||
# edits). Needs real root in both modes; kept as sudo and funnelled through one
|
||||
# place so it can later be confined to a scoped sudoers allowlist.
|
||||
runSystem() {
|
||||
sudo "$@"
|
||||
}
|
||||
@ -31,6 +31,7 @@ docker_scripts=(
|
||||
"docker/checks/running_for_user.sh"
|
||||
"docker/command/docker_run_install.sh"
|
||||
"docker/command/docker_run.sh"
|
||||
"docker/command/run_privileged.sh"
|
||||
"docker/compose/copy_build_context.sh"
|
||||
"docker/compose/restart_after_update.sh"
|
||||
"docker/compose/setup_compose_yml.sh"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user