From f8e1072d1ed911c69562ba7a6d6ef33141268a40 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 5 Jul 2026 19:48:22 +0100 Subject: [PATCH] fix(de-sudo): skip runtime dockerinstall-password re-sync (twin of 9050a8c) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit start_scan.sh runs updateDockerInstallPassword every system scan, doing `sudo passwd $CFG_DOCKER_INSTALL_USER` via runSystem. Model A's scoped sudoers grants only LP_HELPERS/LP_SYSTEM + run-as-install-user — not passwd — so at runtime (manager, non-root) it fails exit 1 every scan. This is the exact sibling of the updateDockerSudoPassword failure fixed in 9050a8c; that guard was added to the manager/sudo user but the dockerinstall user was missed, so error_report.log kept logging "Updating the password for the dockerinstall user" on every scan. The password is set at install (root path, startPreInstall → installDockerRootlessUser) and the rootless docker user is driven by tooling, not a password login, so the runtime re-sync is legacy + impossible under de-sudo. Guard it to skip unless EUID 0, mirroring the sudo-pass fix. Co-Authored-By: Claude Opus 4.8 (1M context) Signed-off-by: librelad --- scripts/docker/update_docker_user_pass.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/scripts/docker/update_docker_user_pass.sh b/scripts/docker/update_docker_user_pass.sh index 2cb6c8f..492d9bc 100755 --- a/scripts/docker/update_docker_user_pass.sh +++ b/scripts/docker/update_docker_user_pass.sh @@ -2,6 +2,17 @@ updateDockerInstallPassword() { + # The rootless docker user's password is set at install (as root, from the + # startPreInstall → installDockerRootlessUser path). Under the de-sudo model + # the runtime runs AS the manager with a SCOPED sudoers that grants only + # LP_HELPERS/LP_SYSTEM + running-as-the-install-user — NOT `passwd`. So the + # per-scan re-sync from start_scan.sh can't work (sudo passwd is denied) and + # isn't needed (the user is operated via rootless-docker tooling, not a + # password login). Skip unless actually root, else every system scan fails + # this step. Twin of the updateDockerSudoPassword guard. + if [[ $EUID -ne 0 ]]; then + return 0 + fi local result; result=$(echo -e "$CFG_DOCKER_INSTALL_PASS\n$CFG_DOCKER_INSTALL_PASS" | runSystem passwd "$CFG_DOCKER_INSTALL_USER" > /dev/null 2>&1) checkSuccess "Updating the password for the $CFG_DOCKER_INSTALL_USER user" }