diff --git a/containers/libreportal/libreportal.sh b/containers/libreportal/libreportal.sh index 8d00ac3..8d7324d 100644 --- a/containers/libreportal/libreportal.sh +++ b/containers/libreportal/libreportal.sh @@ -55,13 +55,6 @@ installLibrePortal() ((menu_number++)) echo "" - echo "---- $menu_number. Updating file permissions before starting." - echo "" - - fixPermissionsBeforeStart $app_name; - - ((menu_number++)) - echo "" echo "---- $menu_number. Randomizing WebUI login credentials." echo "" @@ -72,6 +65,18 @@ installLibrePortal() ((menu_number++)) echo "" + echo "---- $menu_number. Updating file permissions before starting." + echo "" + + # Must run AFTER the credential rewrite above: that rewrite (as the non-root + # manager) resets webui_logins' group, dropping the container-owner group the + # rootless WebUI reads it through. This pass restores it, so it has to be the + # last ownership touch before the container starts — else the container can't + # read its own login file and exits on boot. + fixPermissionsBeforeStart $app_name; + + ((menu_number++)) + echo "" echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name" echo "" diff --git a/scripts/cli/commands/webui/cli_webui_commands.sh b/scripts/cli/commands/webui/cli_webui_commands.sh index 400b366..3fe4881 100755 --- a/scripts/cli/commands/webui/cli_webui_commands.sh +++ b/scripts/cli/commands/webui/cli_webui_commands.sh @@ -97,6 +97,12 @@ cliWebuiLoginReset() isNotice "Regenerating WebUI config files..." webuiLibrePortalUpdate + # The credential rewrite above ran as the non-root manager, which resets + # webui_logins' group and drops the container-owner group the rootless WebUI + # reads it through. Restore it before restarting, or the container can't read + # its own login file and exits on boot. + reconcileWebuiDirOwnership + # Restart the libreportal container so it picks up the new credentials isNotice "Restarting LibrePortal container..." dockerComposeRestart libreportal diff --git a/scripts/function/permission/libreportal_folders.sh b/scripts/function/permission/libreportal_folders.sh index a7b564d..6676c77 100755 --- a/scripts/function/permission/libreportal_folders.sh +++ b/scripts/function/permission/libreportal_folders.sh @@ -64,6 +64,14 @@ reconcileContainersTopOwnership() # reconcile and the fresh-install WebUI setup so a fresh install gets the same # ownership a switch does — otherwise rootless generators hit "Permission # denied" on a manager-owned frontend/data tree. +# +# Also restores the configs/webui bind-mount access (webui-bind): those system-tree +# files are read by the container through the container-owner GROUP, but any rewrite +# by the non-root manager (e.g. the credential randomizer's sed of webui_logins) +# resets their group to the manager's own — after which the rootless container can +# no longer read them and exits on boot. Folding it in here makes this the single +# "ready the WebUI for its container" pass: run it after any config write and right +# before the container (re)starts. reconcileWebuiDirOwnership() { local mode="${1:-$CFG_DOCKER_INSTALL_TYPE}" @@ -74,6 +82,7 @@ reconcileWebuiDirOwnership() return 0 fi runOwnership webui + runOwnership webui-bind isSuccessful "Reconciled WebUI dir ($webui_dir)" } diff --git a/scripts/system/libreportal-ownership b/scripts/system/libreportal-ownership index 9dbdf85..00afee0 100644 --- a/scripts/system/libreportal-ownership +++ b/scripts/system/libreportal-ownership @@ -259,9 +259,10 @@ case "$action" in db-own) db_own;; app-perms) app_perms;; webui) webui;; + webui-bind) _webui_bind_access;; taskdir) taskdir;; app-data-nobody) app_data_nobody "${1:-}";; app-data-remove) app_data_remove "${1:-}";; app-file) app_file "${1:-}" "${2:-}";; - *) echo "usage: libreportal-ownership {reconcile [mode]|traversal|containers-top|backups-top|db-own|app-perms|webui|taskdir|app-data-nobody |app-data-remove |app-file }" >&2; exit 2;; + *) echo "usage: libreportal-ownership {reconcile [mode]|traversal|containers-top|backups-top|db-own|app-perms|webui|webui-bind|taskdir|app-data-nobody |app-data-remove |app-file }" >&2; exit 2;; esac