LibrePortal/scripts/app/app_update_specifics.sh
librelad 8b14f26125 refactor(desudo): route scattered runtime sudo through privilege helpers
Convert the remaining ad-hoc 'sudo' calls across the data plane to the
run_privileged helpers so every file op lands as the correct owner with
no blanket root:

- DB/configs (manager-owned): db_list_all_apps, delete_db_file,
  install_sqlite, cli_webui_commands -> runInstallOp
- containers (dockerinstall-owned): scan_container_socket, delete_data,
  webui_task_files, webui_app_log, webui_config_patch,
  application_missing_variables, uninstall_app -> runFileOp/runFileWrite
- genuine root: passwd, tailscale, ufw-docker, sysctl grep, systemd
  unit read, authorized_keys read, nobody chown -> runSystem
- interactive editors and 'id -u': drop sudo entirely (run as caller)
- owncloud/adguard container-UID config edits -> runSystem (funnel;
  docker-exec rework deferred)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 18:00:19 +01:00

46 lines
1.5 KiB
Bash
Executable File

#!/bin/bash
appUpdateSpecifics()
{
local app_name="$1"
# Initialize setup.
initializeAppVariables $app_name;
if [[ $app_name == "adguard" ]] || [[ $app_name == "pihole" ]]; then
if [[ $CFG_REQUIREMENT_DNS_UPDATER == "true" ]]; then
updateDNS $app_name install;
fi
# Split-horizon local DNS: app subdomains resolve to the box on the LAN.
declare -F setupLocalDnsRewrites >/dev/null 2>&1 && setupLocalDnsRewrites
fi
if [[ $app_name == "libreportal" ]]; then
webuiLibrePortalUpdate;
fi
if [[ $app_name == "dashy" ]]; then
# Refresh apps-services.json (the source of truth that
# appDashyUpdateConf reads) before generating dashy's conf.yml.
# On a first dashy install the file may not yet reflect dashy
# itself; on a re-install the previous selection survives.
webuiLibrePortalUpdate;
appDashyUpdateConf;
fi
if [[ $app_name == "focalboard" ]]; then
# Focalboard runs as nobody (65534) and writes its sqlite db + uploads
# under its mounted data dir; fixPermissionsBeforeStart hands the dir to
# the install user, so give it to 65534 here or the server can't open
# the database. Restart so it picks the dir up.
runSystem chown -R 65534:65534 "$containers_dir$app_name/data";
shouldrestart="true";
fi
if [[ $shouldrestart == "true" ]]; then
dockerComposeRestart $app_name;
fi
isSuccessful "All application specific updates have been completed."
}