fix(de-sudo): skip runtime dockerinstall-password re-sync (twin of 9050a8c)
start_scan.sh runs updateDockerInstallPassword every system scan, doing `sudo passwd $CFG_DOCKER_INSTALL_USER` via runSystem. Model A's scoped sudoers grants only LP_HELPERS/LP_SYSTEM + run-as-install-user — not passwd — so at runtime (manager, non-root) it fails exit 1 every scan. This is the exact sibling of the updateDockerSudoPassword failure fixed in 9050a8c; that guard was added to the manager/sudo user but the dockerinstall user was missed, so error_report.log kept logging "Updating the password for the dockerinstall user" on every scan. The password is set at install (root path, startPreInstall → installDockerRootlessUser) and the rootless docker user is driven by tooling, not a password login, so the runtime re-sync is legacy + impossible under de-sudo. Guard it to skip unless EUID 0, mirroring the sudo-pass fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
caf90bfdfa
commit
f8e1072d1e
@ -2,6 +2,17 @@
|
||||
|
||||
updateDockerInstallPassword()
|
||||
{
|
||||
# The rootless docker user's password is set at install (as root, from the
|
||||
# startPreInstall → installDockerRootlessUser path). Under the de-sudo model
|
||||
# the runtime runs AS the manager with a SCOPED sudoers that grants only
|
||||
# LP_HELPERS/LP_SYSTEM + running-as-the-install-user — NOT `passwd`. So the
|
||||
# per-scan re-sync from start_scan.sh can't work (sudo passwd is denied) and
|
||||
# isn't needed (the user is operated via rootless-docker tooling, not a
|
||||
# password login). Skip unless actually root, else every system scan fails
|
||||
# this step. Twin of the updateDockerSudoPassword guard.
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
return 0
|
||||
fi
|
||||
local result; result=$(echo -e "$CFG_DOCKER_INSTALL_PASS\n$CFG_DOCKER_INSTALL_PASS" | runSystem passwd "$CFG_DOCKER_INSTALL_USER" > /dev/null 2>&1)
|
||||
checkSuccess "Updating the password for the $CFG_DOCKER_INSTALL_USER user"
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user