refactor(de-sudo): config-plane + permission helpers off raw sudo

config_scan_variables + config_check_missing operate on the manager-owned
configs_dir -> runInstallOp (test/cat/cmp/cp/mkdir). Container-path chmods in
before_start (traefik) + config.sh -> runFileOp. Fix the 'sudo sudo chown'
double in root_file.sh -> runSystem chown (ownership establishment).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-24 17:03:19 +01:00
parent 67aea8e722
commit 92c0261ca4
5 changed files with 12 additions and 12 deletions

View File

@ -19,7 +19,7 @@ checkConfigFilesMissingFiles()
if [ -d "$install_category_dir" ]; then
# Create target category directory if it doesn't exist
if [ ! -d "$target_category_dir" ]; then
sudo mkdir -p "$target_category_dir"
runInstallOp mkdir -p "$target_category_dir"
fi
# Check each file in the install category directory
@ -30,7 +30,7 @@ checkConfigFilesMissingFiles()
if [ ! -f "$target_file" ]; then
# Copy missing file from install directory
sudo cp "$install_file" "$target_file"
runInstallOp cp "$install_file" "$target_file"
((missing_files_count++))
fi
((found_files_count++))

View File

@ -14,13 +14,13 @@ reconcileConfigFile()
local do_delete="${CFG_REQUIREMENT_CONFIGS_AUTO_DELETE:-true}"
[[ -f "$live" ]] || return 0
sudo test -s "$template" 2>/dev/null || return 0
runInstallOp test -s "$template" 2>/dev/null || return 0
declare -A live_line emitted
local line key
while IFS= read -r line; do
[[ "$line" =~ ^(CFG_[A-Za-z0-9_]+)= ]] && live_line["${BASH_REMATCH[1]}"]="$line"
done < <(sudo cat "$live")
done < <(runInstallOp cat "$live")
local tmp; tmp=$(mktemp)
while IFS= read -r line; do
@ -35,7 +35,7 @@ reconcileConfigFile()
else
printf '%s\n' "$line" >> "$tmp" # comments / blanks / ordering
fi
done < <(sudo cat "$template")
done < <(runInstallOp cat "$template")
if [[ "$do_delete" != "true" ]]; then # keep keys the template dropped
for key in "${!live_line[@]}"; do
@ -44,9 +44,9 @@ reconcileConfigFile()
fi
# Replace only when the result is sane (non-empty, has keys) and differs.
if [[ -s "$tmp" ]] && grep -q '^CFG_' "$tmp" && ! sudo cmp -s "$tmp" "$live"; then
sudo cp -a "$live" "${live}.bak"
sudo cp "$tmp" "$live"
if [[ -s "$tmp" ]] && grep -q '^CFG_' "$tmp" && ! runInstallOp cmp -s "$tmp" "$live"; then
runInstallOp cp -a "$live" "${live}.bak"
runInstallOp cp "$tmp" "$live"
isSuccessful "Reconciled config: $(basename "$live") (backup: $(basename "$live").bak)"
fi
rm -f "$tmp"

View File

@ -23,12 +23,12 @@ fixPermissionsBeforeStart()
# Traefik
if [ -f "${containers_dir}traefik/etc/certs/acme.json" ]; then
updateFileOwnership "${containers_dir}traefik/etc/certs/acme.json" $docker_install_user $docker_install_user
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/certs/acme.json")
local result=$(runFileOp chmod 600 "${containers_dir}traefik/etc/certs/acme.json")
checkSuccess "Set permissions to acme.json file for traefik"
fi
if [ -f "${containers_dir}traefik/etc/traefik.yml" ]; then
updateFileOwnership "${containers_dir}traefik/etc/traefik.yml" $docker_install_user $docker_install_user
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/traefik.yml")
local result=$(runFileOp chmod 600 "${containers_dir}traefik/etc/traefik.yml")
checkSuccess "Set permissions to traefik.yml file for traefik"
fi
}

View File

@ -6,7 +6,7 @@ fixConfigPermissions()
local app_name="$2"
local config_file="$containers_dir$app_name/$app_name.config"
local result=$(sudo chmod g+rw $config_file)
local result=$(runFileOp chmod g+rw $config_file)
if [ "$silent_flag" == "loud" ]; then
isNotice "Updating config read permissions for LibrePortal"
fi

View File

@ -14,7 +14,7 @@ changeRootOwnedFile()
isNotice "File '$file_full' does not exist."
fi
else
local result=$(sudo sudo chown "$user_name:$user_name" "$file_full")
local result=$(runSystem chown "$user_name:$user_name" "$file_full")
checkSuccess "Updating $file_name to be owned by $user_name"
fi
}