From a2376e2fc6cab2e59cc6baff39522dce64fc029d Mon Sep 17 00:00:00 2001 From: librelad Date: Thu, 18 Jun 2026 18:05:24 +0100 Subject: [PATCH] fix(security): webui config files reachable by group, not world MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit _webui_bind_access granted o+r to every file in configs/webui so the rootless container could read its bind-mount sources — but that also made secrets like webui_logins world-readable to any local user. Under rootless the container's gid 0 maps to the container owner's gid, so group access is sufficient: chown the webui dir + files to MANAGER:container-owner, dir 0751 (traverse, not list), files 0640. Container reads via group; other local users get nothing; the manager (owner) still rewrites them. Verified live: container READ ok, world READ denied, manager rw, WebUI login still 200. Live helper updated in lockstep with this source. Co-Authored-By: Claude Opus 4.8 Signed-off-by: librelad --- scripts/system/libreportal-ownership | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/scripts/system/libreportal-ownership b/scripts/system/libreportal-ownership index 09fd192..9dbdf85 100644 --- a/scripts/system/libreportal-ownership +++ b/scripts/system/libreportal-ownership @@ -94,13 +94,22 @@ _app_dir() { # Let the rootless container user reach the few system-tree files it must read as # bind-mount sources (the WebUI's configs/webui/*), WITHOUT exposing the rest of -# the control plane: traverse SYSTEM_DIR + configs, read configs/webui only. +# the control plane — or those files' contents to other local users. +# +# Access is granted via the GROUP, not world: under rootless the container's gid 0 +# maps to the container owner's gid on the host, so group-read is enough for the +# container while other local users get nothing. Owner stays the manager so the +# control plane can still rewrite them; the dir keeps only o+x (traverse, not list). +# This is what keeps secrets like webui_logins from being world-readable. _webui_bind_access() { chmod o+x "$SYSTEM_DIR" 2>/dev/null [[ -d "$CONFIGS_DIR" ]] && chmod o+x "$CONFIGS_DIR" 2>/dev/null if [[ -d "$CONFIGS_DIR/webui" ]]; then - chmod o+rx "$CONFIGS_DIR/webui" 2>/dev/null - find "$CONFIGS_DIR/webui" -maxdepth 1 -type f -exec chmod o+r {} \; 2>/dev/null + local cowner; cowner="$(_container_owner "$(_mode)")" + chown "$MANAGER:$cowner" "$CONFIGS_DIR/webui" 2>/dev/null + chmod 0751 "$CONFIGS_DIR/webui" 2>/dev/null + find "$CONFIGS_DIR/webui" -maxdepth 1 -type f \ + -exec chown "$MANAGER:$cowner" {} \; -exec chmod 0640 {} \; 2>/dev/null fi }