Convert the remaining ad-hoc 'sudo' calls across the data plane to the run_privileged helpers so every file op lands as the correct owner with no blanket root: - DB/configs (manager-owned): db_list_all_apps, delete_db_file, install_sqlite, cli_webui_commands -> runInstallOp - containers (dockerinstall-owned): scan_container_socket, delete_data, webui_task_files, webui_app_log, webui_config_patch, application_missing_variables, uninstall_app -> runFileOp/runFileWrite - genuine root: passwd, tailscale, ufw-docker, sysctl grep, systemd unit read, authorized_keys read, nobody chown -> runSystem - interactive editors and 'id -u': drop sudo entirely (run as caller) - owncloud/adguard container-UID config edits -> runSystem (funnel; docker-exec rework deferred) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
45 lines
1.6 KiB
Bash
45 lines
1.6 KiB
Bash
#!/bin/bash
|
|
|
|
authAdapter_adguard_setPassword() {
|
|
local user="$1" password="$2"
|
|
user="${user:-${CFG_ADGUARD_ADMIN_USER:-admin}}"
|
|
[[ -z "$password" ]] && password=$(generateRandomPassword)
|
|
|
|
local yaml="${containers_dir}adguard/conf/AdGuardHome.yaml"
|
|
[[ ! -f "$yaml" ]] && { isError "AdGuardHome.yaml not found at $yaml."; return 1; }
|
|
if ! command -v htpasswd >/dev/null 2>&1; then
|
|
isError "htpasswd is required to bcrypt the new password."
|
|
return 1
|
|
fi
|
|
|
|
local bcrypt
|
|
bcrypt=$(htpasswd -bnBC 10 "" "$password" | tr -d ':\n')
|
|
[[ -z "$bcrypt" ]] && { isError "bcrypt failed."; return 1; }
|
|
|
|
local tmp
|
|
tmp=$(sudo mktemp)
|
|
if ! runSystem awk -v u="$user" -v pw="$bcrypt" '
|
|
/^users:/ { in_users=1; print; next }
|
|
in_users && /^[^[:space:]-]/ { in_users=0 }
|
|
in_users && /^[[:space:]]+name:/ && !done_user {
|
|
match($0, /^[[:space:]]+/); print substr($0, RSTART, RLENGTH) "name: " u; done_user=1; next
|
|
}
|
|
in_users && /^[[:space:]]+password:/ && !done_pw {
|
|
match($0, /^[[:space:]]+/); print substr($0, RSTART, RLENGTH) "password: " pw; done_pw=1; next
|
|
}
|
|
{ print }
|
|
END { exit (done_pw ? 0 : 1) }
|
|
' "$yaml" | runSystem tee "$tmp" >/dev/null; then
|
|
runSystem rm -f "$tmp"
|
|
isError "AdGuardHome.yaml does not contain a 'users:' password line."
|
|
return 1
|
|
fi
|
|
runSystem cp "$tmp" "$yaml"
|
|
runSystem rm -f "$tmp"
|
|
|
|
authPersistCfg adguard ADMIN_USER "$user"
|
|
authPersistCfg adguard ADMIN_PASSWORD "$password"
|
|
dockerComposeRestart adguard
|
|
isSuccessful "AdGuard admin set. User: $user — Password: $password"
|
|
}
|