fix(security): webui config files reachable by group, not world
_webui_bind_access granted o+r to every file in configs/webui so the rootless container could read its bind-mount sources — but that also made secrets like webui_logins world-readable to any local user. Under rootless the container's gid 0 maps to the container owner's gid, so group access is sufficient: chown the webui dir + files to MANAGER:container-owner, dir 0751 (traverse, not list), files 0640. Container reads via group; other local users get nothing; the manager (owner) still rewrites them. Verified live: container READ ok, world READ denied, manager rw, WebUI login still 200. Live helper updated in lockstep with this source. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
d458fa5ea4
commit
a2376e2fc6
@ -94,13 +94,22 @@ _app_dir() {
|
|||||||
|
|
||||||
# Let the rootless container user reach the few system-tree files it must read as
|
# Let the rootless container user reach the few system-tree files it must read as
|
||||||
# bind-mount sources (the WebUI's configs/webui/*), WITHOUT exposing the rest of
|
# bind-mount sources (the WebUI's configs/webui/*), WITHOUT exposing the rest of
|
||||||
# the control plane: traverse SYSTEM_DIR + configs, read configs/webui only.
|
# the control plane — or those files' contents to other local users.
|
||||||
|
#
|
||||||
|
# Access is granted via the GROUP, not world: under rootless the container's gid 0
|
||||||
|
# maps to the container owner's gid on the host, so group-read is enough for the
|
||||||
|
# container while other local users get nothing. Owner stays the manager so the
|
||||||
|
# control plane can still rewrite them; the dir keeps only o+x (traverse, not list).
|
||||||
|
# This is what keeps secrets like webui_logins from being world-readable.
|
||||||
_webui_bind_access() {
|
_webui_bind_access() {
|
||||||
chmod o+x "$SYSTEM_DIR" 2>/dev/null
|
chmod o+x "$SYSTEM_DIR" 2>/dev/null
|
||||||
[[ -d "$CONFIGS_DIR" ]] && chmod o+x "$CONFIGS_DIR" 2>/dev/null
|
[[ -d "$CONFIGS_DIR" ]] && chmod o+x "$CONFIGS_DIR" 2>/dev/null
|
||||||
if [[ -d "$CONFIGS_DIR/webui" ]]; then
|
if [[ -d "$CONFIGS_DIR/webui" ]]; then
|
||||||
chmod o+rx "$CONFIGS_DIR/webui" 2>/dev/null
|
local cowner; cowner="$(_container_owner "$(_mode)")"
|
||||||
find "$CONFIGS_DIR/webui" -maxdepth 1 -type f -exec chmod o+r {} \; 2>/dev/null
|
chown "$MANAGER:$cowner" "$CONFIGS_DIR/webui" 2>/dev/null
|
||||||
|
chmod 0751 "$CONFIGS_DIR/webui" 2>/dev/null
|
||||||
|
find "$CONFIGS_DIR/webui" -maxdepth 1 -type f \
|
||||||
|
-exec chown "$MANAGER:$cowner" {} \; -exec chmod 0640 {} \; 2>/dev/null
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user