librelad 68110d199c fix(rootless): slirp4netns default, manager-vs-container helper split, sysctl path
Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted
was byte-identical/fine):

1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read ->
   can't open container netns -> rootless dockerd never starts). Default
   CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable
   for hosts that relax the profile.
2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB
   chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned,
   not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp
   and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts
   (libreportal_folders, app_folder) to runSystem — they must run as root to
   establish ownership during install. Container files (/docker/containers/<app>)
   stay runFileOp.
3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which
   'sysctl --system' does not read -> never applied. Write them to
   /etc/sysctl.d/99-libreportal-hardening.conf instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 00:12:06 +01:00

82 lines
3.2 KiB
Bash
Executable File

#!/bin/bash
fixAppFolderPermissions()
{
local silent_flag="$1"
# Collect all app names in an array
local app_names=()
for app_dir in "$containers_dir"/*/; do
if [ -d "$app_dir" ]; then
local app_name=$(basename "$app_dir")
app_names+=("$app_name")
fi
done
for app_name in "${app_names[@]}"; do
if [[ $app_name != "" ]]; then
# Updating $containers_dir with execute permissions
if [ -d "$containers_dir" ]; then
local result=$(runSystem chmod +x "$containers_dir" > /dev/null 2>&1)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $containers_dir with execute permissions."
fi
else
if [ "$silent_flag" == "loud" ]; then
isNotice "$containers_dir does not exist."
fi
fi
# Updating $containers_dir$app_name with execute permissions
if [ -d "$containers_dir$app_name" ]; then
local result=$(runSystem chmod +x "$containers_dir$app_name" > /dev/null 2>&1)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $containers_dir$app_name with execute permissions."
fi
else
if [ "$silent_flag" == "loud" ]; then
isNotice "$containers_dir$app_name does not exist."
fi
fi
# Updating $app_name with read permissions
if [ -d "$containers_dir$app_name" ]; then
local result=$(runSystem chmod o+r "$containers_dir$app_name")
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $app_name with read permissions"
fi
else
if [ "$silent_flag" == "loud" ]; then
isNotice "$containers_dir$app_name does not exist."
fi
fi
# Updating compose file(s) for LibrePortal access
if [ -d "$containers_dir$app_name" ]; then
local result=$(runSystem find "$containers_dir$app_name" -type f -name '*docker-compose*' -exec chmod o+r {} \;)
if [ "$silent_flag" == "loud" ]; then
isNotice "Updating compose file(s) for LibrePortal access"
fi
else
if [ "$silent_flag" == "loud" ]; then
isNotice "$containers_dir$app_name does not exist."
fi
fi
# Fix LibrePortal specific file permissions
local files=("migrate.txt" "$app_name.config" "docker-compose.yml" "docker-compose.$app_name.yml")
for file in "${files[@]}"; do
local file_path="$containers_dir$app_name/$file"
# Check if the file exists
if [ -e "$file_path" ]; then
local result=$(runSystem chown $docker_install_user:$docker_install_user "$file_path")
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $file with $docker_install_user ownership"
fi
fi
done
fi
done
}