LibrePortal/scripts/function/permission/libreportal_folders.sh
librelad 1dc915f642 feat(switcher): reconcileDockerOwnership — safe owner-only control-plane reconcile on mode switch
Mode switches change /docker ownership expectations, but the switcher only
ever fixed the socket — never file ownership — so a rooted<->rootless swap
left the control plane owned for the wrong mode (CLI + de-sudo helpers then
can't access it).

Add reconcileDockerOwnership (single source of truth): swaps ONLY the owner
of LibrePortal's control plane (configs/logs/scripts/DB + /docker top) to the
mode owner (root rooted / manager rootless). It never resets mode bits (only
adds o+x on /docker for traversal and o+r on the DB for the WebUI), and never
touches /docker/containers/** app data, backups/, or ssl/ssh keys. Wired into
both switch branches between container-retag and app-start.

App data is deliberately NOT chowned: container UIDs re-map across modes
(rootless subuid offset), so a chown can't carry e.g. Postgres data across —
that's a backup->switch->restore operation. Switcher now warns to back up
stateful apps before switching and restore after.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 01:16:49 +01:00

73 lines
3.2 KiB
Bash
Executable File

#!/bin/bash
# Reconcile ONLY the LibrePortal control plane ownership for the current Docker
# mode, so the CLI and the de-sudo helpers (runFileOp/runInstallOp) keep working
# after a rooted<->rootless switch:
# rooted -> root:root (CLI operates via sudo)
# rootless -> $sudo_user_name (the manager/runtime user owns its own files)
#
# Scope is DELIBERATELY narrow — the de-sudo-critical, LibrePortal-owned files
# only: configs/, logs/, install scripts, the apps DB, and the /docker top level
# (kept o+x so the docker user can still traverse to its container dirs).
#
# It does NOT touch /docker/containers/** (per-app data, written by per-app
# container UIDs — uid-mapped through subuids in rootless), nor backups/ (owned
# by the backup-engine user), nor ssl/ssh (key material). A blanket chown there
# would break permission-strict apps (Postgres/MySQL refuse a wrong-owned data
# dir; Grafana/Nextcloud run as fixed UIDs) AND can't survive the rootless
# subuid offset anyway. Moving a stateful app across modes is a backup->switch
# ->restore operation, not a chown. Must run as ROOT, apps stopped. Idempotent.
reconcileDockerOwnership()
{
local mode="${1:-$CFG_DOCKER_INSTALL_TYPE}"
[[ -d "$docker_dir" ]] || return 0
local owner="root"
[[ "$mode" == "rootless" ]] && owner="$sudo_user_name"
# Swap ONLY the owner on our own control-plane files; never reset mode bits
# (so nothing that validates its permissions gets surprised). The only two
# bits we *add* (never remove) are structural and on our own dirs, not app
# files: o+x on /docker so the docker user can still traverse to its
# container dirs, and o+r on the DB so the WebUI container can read it.
runSystem chown "$owner:$owner" "$docker_dir"
runSystem chmod o+x "$docker_dir"
# LibrePortal-owned control plane (NOT containers/ backups/ ssl/ ssh) — owner
# only, modes preserved.
local p
for p in "$configs_dir" "$logs_dir" "$script_dir" "$docker_dir/$db_file"; do
[[ -e "$p" ]] && runSystem chown -R "$owner:$owner" "$p"
done
[[ -f "$docker_dir/$db_file" ]] && runSystem chmod o+r "$docker_dir/$db_file"
isSuccessful "Reconciled LibrePortal control-plane ownership for $mode ($owner)"
}
fixFolderPermissions()
{
local silent_flag="$1"
local app_name="$2"
local result=$(runSystem chmod +x "$docker_dir" > /dev/null 2>&1)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $docker_dir with execute permissions."
fi
local result=$(runSystem chmod +x "$containers_dir" > /dev/null 2>&1)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $containers_dir with execute permissions."
fi
local result=$(runSystem find "$script_dir" "$ssl_dir" "$ssh_dir" "$backup_dir" "$restore_dir" "$migrate_dir" -maxdepth 2 -type d -exec chmod +x {} \;)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Adding execute permissions for $docker_install_user user"
fi
# Install user related
local result=$(runSystem chown $docker_install_user:$docker_install_user "$containers_dir" > /dev/null 2>&1)
if [ "$silent_flag" == "loud" ]; then
checkSuccess "Updating $containers_dir with $docker_install_user ownership"
fi
}