diff --git a/scripts/system/libreportal-ownership b/scripts/system/libreportal-ownership index 09fd192..9dbdf85 100644 --- a/scripts/system/libreportal-ownership +++ b/scripts/system/libreportal-ownership @@ -94,13 +94,22 @@ _app_dir() { # Let the rootless container user reach the few system-tree files it must read as # bind-mount sources (the WebUI's configs/webui/*), WITHOUT exposing the rest of -# the control plane: traverse SYSTEM_DIR + configs, read configs/webui only. +# the control plane — or those files' contents to other local users. +# +# Access is granted via the GROUP, not world: under rootless the container's gid 0 +# maps to the container owner's gid on the host, so group-read is enough for the +# container while other local users get nothing. Owner stays the manager so the +# control plane can still rewrite them; the dir keeps only o+x (traverse, not list). +# This is what keeps secrets like webui_logins from being world-readable. _webui_bind_access() { chmod o+x "$SYSTEM_DIR" 2>/dev/null [[ -d "$CONFIGS_DIR" ]] && chmod o+x "$CONFIGS_DIR" 2>/dev/null if [[ -d "$CONFIGS_DIR/webui" ]]; then - chmod o+rx "$CONFIGS_DIR/webui" 2>/dev/null - find "$CONFIGS_DIR/webui" -maxdepth 1 -type f -exec chmod o+r {} \; 2>/dev/null + local cowner; cowner="$(_container_owner "$(_mode)")" + chown "$MANAGER:$cowner" "$CONFIGS_DIR/webui" 2>/dev/null + chmod 0751 "$CONFIGS_DIR/webui" 2>/dev/null + find "$CONFIGS_DIR/webui" -maxdepth 1 -type f \ + -exec chown "$MANAGER:$cowner" {} \; -exec chmod 0640 {} \; 2>/dev/null fi }