3 Commits

Author SHA1 Message Date
librelad
6089eb0882 fix(de-sudo): route container-tree writes through the privileged path
Two more cases of the manager writing directly into the container-owned
/libreportal-containers tree (same class as the regen-poll stamp), both masked
by a '✓ Success' that printed anyway:

- Password replacers (config/password/*): used 'runInstallOp sed -i' (manager)
  on app configs copied into the container tree, so sed -i EACCES'd its temp
  file and the substitution silently failed — the adguard.config 'couldn't open
  temporary file', leaving the literal RANDOMIZEDPASSWORD placeholder. Added
  runCfgOp (picks runFileOp vs runInstallOp by the target file's location) and
  routed every $file grep/sed/awk through it: password, username, hex, vapid,
  appkey, and bcrypt.

- Updater generator (webui_updater_scan): 'runFileOp cp <manager-tmp>' can't
  read the manager's 0600 mktemp as the container user, so it fell through to a
  manager 'cp' that EACCES'd on the container-owned out_dir. Switched the three
  writes to 'runFileWrite < tmp' (manager shell reads the tmp; container user
  tees the write).

Both deploy via the normal quick path (relocatable scripts) — no footprint bump,
no reinstall.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 02:33:10 +01:00
librelad
5ceef2df6a refactor(de-sudo): config/password processors off raw sudo
scanConfigsForRandomPassword iterates $configs_dir (manager-owned), so the
placeholder grep/sed/awk on the config file -> runInstallOp. The bcrypt export
log ($containers_dir/bcrypt.txt) is docker-install-owned, so its touch/chmod/
sed/grep/append -> runFileOp/runFileWrite (NOT runInstallOp). Covers all
password_replace*/password_user_replace/password_update_all and bcrypt/*.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 17:30:25 +01:00
librelad
875a60f90f LibrePortal v0.1.0 — initial release
A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys,
Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun
VPN routing, and a web dashboard to manage it all.

Free & open forever to self-host; optional paid hosted services fund it.
See PROMISE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-21 20:37:54 +01:00