Compare commits

...

2 Commits

Author SHA1 Message Date
librelad
38b3f189b8 Merge claude/1 2026-06-18 18:05:24 +01:00
librelad
a2376e2fc6 fix(security): webui config files reachable by group, not world
_webui_bind_access granted o+r to every file in configs/webui so the
rootless container could read its bind-mount sources — but that also made
secrets like webui_logins world-readable to any local user. Under rootless
the container's gid 0 maps to the container owner's gid, so group access is
sufficient: chown the webui dir + files to MANAGER:container-owner, dir
0751 (traverse, not list), files 0640. Container reads via group; other
local users get nothing; the manager (owner) still rewrites them.

Verified live: container READ ok, world READ denied, manager rw, WebUI
login still 200. Live helper updated in lockstep with this source.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-06-18 18:05:24 +01:00

View File

@ -94,13 +94,22 @@ _app_dir() {
# Let the rootless container user reach the few system-tree files it must read as
# bind-mount sources (the WebUI's configs/webui/*), WITHOUT exposing the rest of
# the control plane: traverse SYSTEM_DIR + configs, read configs/webui only.
# the control plane — or those files' contents to other local users.
#
# Access is granted via the GROUP, not world: under rootless the container's gid 0
# maps to the container owner's gid on the host, so group-read is enough for the
# container while other local users get nothing. Owner stays the manager so the
# control plane can still rewrite them; the dir keeps only o+x (traverse, not list).
# This is what keeps secrets like webui_logins from being world-readable.
_webui_bind_access() {
chmod o+x "$SYSTEM_DIR" 2>/dev/null
[[ -d "$CONFIGS_DIR" ]] && chmod o+x "$CONFIGS_DIR" 2>/dev/null
if [[ -d "$CONFIGS_DIR/webui" ]]; then
chmod o+rx "$CONFIGS_DIR/webui" 2>/dev/null
find "$CONFIGS_DIR/webui" -maxdepth 1 -type f -exec chmod o+r {} \; 2>/dev/null
local cowner; cowner="$(_container_owner "$(_mode)")"
chown "$MANAGER:$cowner" "$CONFIGS_DIR/webui" 2>/dev/null
chmod 0751 "$CONFIGS_DIR/webui" 2>/dev/null
find "$CONFIGS_DIR/webui" -maxdepth 1 -type f \
-exec chown "$MANAGER:$cowner" {} \; -exec chmod 0640 {} \; 2>/dev/null
fi
}