LibrePortal/scripts/system/libreportal-socket
librelad 9af2465ffe feat(desudo): socket + systemd-svc helpers; route traefik/db chowns + svc
Move the last runtime-critical root file-primitive subsystems behind
root-owned helpers so the type switcher + task service work under a scoped
sudoers:

- scripts/system/libreportal-socket: {rootless|rooted} {on|off} chmod of
  the docker sockets (paths computed from config, not caller-supplied;
  exit 3 = absent so the *_found flags come from its exit code)
- scripts/system/libreportal-svc: GENERATES + installs the systemd unit
  from config (mode/uid/baked manager) — never accepts unit content from
  the caller (arbitrary unit = root). Idempotent install/enable/restart.
- ownership helper: add db-own + app-file <app> <relpath> actions
- run_privileged: runSocket / runSvc
- set_socket_permissions -> runSocket; webui_install_systemd -> runSvc
  (+ crontab cleanup runs as the manager directly, no sudo -u self)
- before_start: db chown -> runOwnership db-own; traefik cert/yml ->
  runOwnership app-file (retires updateFileOwnership/changeRootOwnedFile)
- init.sh installs all five helpers

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 18:28:56 +01:00

39 lines
1.3 KiB
Bash

#!/bin/bash
# LibrePortal docker-socket permission helper — the only root-privileged chmod of
# the docker sockets the manager may trigger (the type switcher hides/exposes the
# inactive/active mode's socket). Installed root:root 0755 to /usr/local/sbin by
# init.sh. Self-contained; the socket paths are computed here (never caller-
# supplied), so the scoped sudoers can allow it instead of blanket `sudo chmod`.
#
# Exit: 0 = socket found + chmod'd, 3 = socket absent (caller treats as not-found).
set -u
[[ $EUID -eq 0 ]] || { echo "libreportal-socket: must run as root" >&2; exit 1; }
DB_CFG="/docker/configs/general/general_docker_install"
ROOTED_SOCK="/var/run/docker.sock"
_rootless_sock() {
local u uid
u=$(grep -h '^CFG_DOCKER_INSTALL_USER=' "$DB_CFG" 2>/dev/null | head -1 | cut -d= -f2 | awk '{print $1}')
[[ -n "$u" ]] || return 1
uid=$(id -u "$u" 2>/dev/null) || return 1
printf '/run/user/%s/docker.sock' "$uid"
}
which="${1:-}"; state="${2:-}"
case "$which" in
rootless) sock="$(_rootless_sock)" || exit 3 ;;
rooted) sock="$ROOTED_SOCK" ;;
*) echo "usage: libreportal-socket {rootless|rooted} {on|off}" >&2; exit 2 ;;
esac
[[ -e "$sock" ]] || exit 3
case "$state" in
on) chmod +r "$sock" ;;
off) chmod o-r "$sock" ;;
*) echo "usage: libreportal-socket {rootless|rooted} {on|off}" >&2; exit 2 ;;
esac