LibrePortal/scripts/system/libreportal-socket
librelad edcdf00aca feat(layout): three-root split + ownership model (phase 2)
Split the single tree into three owner-isolated roots and fix the backup
permission failure (restic, running as the container user, could not write the
manager-owned /docker/backups).

Ownership helper (libreportal-ownership), rewritten for three baked roots:
  SYSTEM_DIR (manager)  CONTAINERS_DIR + BACKUPS_DIR (container user)
- reconcile now drives each tree to its single owner; backups + the WebUI dir go
  to the container user (the actual fix). The container user reaches only the
  WebUI bind-mount sources (configs/webui/*) via a scoped _webui_bind_access —
  traverse the system root + configs, read configs/webui only, nothing else.
- defence-in-depth: refuse dangerous/relative roots even if mis-baked; new
  backups-top action.

Baking: init.sh initRootHelpers now seds __SYSTEM_DIR__/__CONTAINERS_DIR__/
__BACKUPS_DIR__ (alongside __MANAGER__) into every helper at install — the trust
boundary stays root-controlled. svc/socket/appcfg helpers updated to derive from
the baked SYSTEM_DIR; the svc unit now exports LP_*_DIR so the processor resolves
roots authoritatively. A baking-safe '*"__"*' sentinel check survives the sed.

Install/uninstall: initFolders creates the three roots; initContainerLayer hands
containers + backups to the container user; uninstall removes all three
(idempotent on legacy single-tree installs). Remaining functional /docker
literals in init.sh (config reads, setupConfigsFromRepo, uninstall) parameterised.

Compose: the WebUI's two relative ../../configs mounts (the only cross-tree
relative mounts in the tree) are now absolute, filled at generation via a new
CONFIGS_DIR_TAG; CONTAINERS_DIR_TAG likewise for the LP_CONTAINERS_DIR env.

Live box unaffected: installed helpers + the live compose only change on reinstall/
rebuild (both of which fill the tags); the CLI-wrapper heredoc paths are baked in
phase 3.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-25 15:21:28 +01:00

42 lines
1.5 KiB
Bash

#!/bin/bash
# LibrePortal docker-socket permission helper — the only root-privileged chmod of
# the docker sockets the manager may trigger (the type switcher hides/exposes the
# inactive/active mode's socket). Installed root:root 0755 to /usr/local/sbin by
# init.sh. Self-contained; the socket paths are computed here (never caller-
# supplied), so the scoped sudoers can allow it instead of blanket `sudo chmod`.
#
# Exit: 0 = socket found + chmod'd, 3 = socket absent (caller treats as not-found).
set -u
[[ $EUID -eq 0 ]] || { echo "libreportal-socket: must run as root" >&2; exit 1; }
# SYSTEM_DIR baked at install; unbaked copies keep the "__" sentinel.
SYSTEM_DIR="__SYSTEM_DIR__"
[[ "$SYSTEM_DIR" == *"__"* || -z "$SYSTEM_DIR" ]] && SYSTEM_DIR="/libreportal-system"
DB_CFG="$SYSTEM_DIR/configs/general/general_docker_install"
ROOTED_SOCK="/var/run/docker.sock"
_rootless_sock() {
local u uid
u=$(grep -h '^CFG_DOCKER_INSTALL_USER=' "$DB_CFG" 2>/dev/null | head -1 | cut -d= -f2 | awk '{print $1}')
[[ -n "$u" ]] || return 1
uid=$(id -u "$u" 2>/dev/null) || return 1
printf '/run/user/%s/docker.sock' "$uid"
}
which="${1:-}"; state="${2:-}"
case "$which" in
rootless) sock="$(_rootless_sock)" || exit 3 ;;
rooted) sock="$ROOTED_SOCK" ;;
*) echo "usage: libreportal-socket {rootless|rooted} {on|off}" >&2; exit 2 ;;
esac
[[ -e "$sock" ]] || exit 3
case "$state" in
on) chmod +r "$sock" ;;
off) chmod o-r "$sock" ;;
*) echo "usage: libreportal-socket {rootless|rooted} {on|off}" >&2; exit 2 ;;
esac