From 9050a8c78355480c593156370cdb68dfbd64cf17 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 31 May 2026 11:17:17 +0100 Subject: [PATCH] fix(de-sudo): skip runtime manager-password re-sync (surfaced by error_report) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The honest-checkSuccess + masking fixes immediately surfaced a real masked failure in error_report.log: updateDockerSudoPassword (run every system scan from start_scan.sh) does 'sudo passwd $sudo_user_name', but Model A's scoped sudoers grants only LP_HELPERS/LP_SYSTEM + run-as-install-user — not passwd. So at runtime (manager, non-root) it failed exit 1 every scan, masked until now. The password is set at install (root, chpasswd) and admin login is key-based, so the runtime re-sync is legacy + impossible under de-sudo: guard it to skip unless EUID 0. (Validates the surfacing mechanism working as intended.) Co-Authored-By: Claude Opus 4.8 Signed-off-by: librelad --- scripts/docker/update_docker_sudo_pass.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/scripts/docker/update_docker_sudo_pass.sh b/scripts/docker/update_docker_sudo_pass.sh index 58b1b12..439cbcf 100755 --- a/scripts/docker/update_docker_sudo_pass.sh +++ b/scripts/docker/update_docker_sudo_pass.sh @@ -2,6 +2,16 @@ updateDockerSudoPassword() { + # The manager's system password is set at install (as root, via chpasswd). + # Under the de-sudo model the runtime runs AS the manager with a SCOPED + # sudoers that grants only LP_HELPERS/LP_SYSTEM + running-as-the-install-user + # — NOT `passwd`. So re-syncing here at runtime can't work (sudo passwd is + # denied) and isn't needed (sudo is NOPASSWD-scoped; admin login is key-based + # / managed by the SSH page). Skip unless actually root, else every system + # scan fails this step. (Previously masked by `local result=$(…)`.) + if [[ $EUID -ne 0 ]]; then + return 0 + fi local result; result=$(echo -e "$CFG_LIBREPORTAL_USER_PASS\n$CFG_LIBREPORTAL_USER_PASS" | runSystem passwd "$sudo_user_name" > /dev/null 2>&1) checkSuccess "Updating the password for the $sudo_user_name user" }