LibrePortal/scripts/config/password/password_replace_appkey.sh
librelad 6089eb0882 fix(de-sudo): route container-tree writes through the privileged path
Two more cases of the manager writing directly into the container-owned
/libreportal-containers tree (same class as the regen-poll stamp), both masked
by a '✓ Success' that printed anyway:

- Password replacers (config/password/*): used 'runInstallOp sed -i' (manager)
  on app configs copied into the container tree, so sed -i EACCES'd its temp
  file and the substitution silently failed — the adguard.config 'couldn't open
  temporary file', leaving the literal RANDOMIZEDPASSWORD placeholder. Added
  runCfgOp (picks runFileOp vs runInstallOp by the target file's location) and
  routed every $file grep/sed/awk through it: password, username, hex, vapid,
  appkey, and bcrypt.

- Updater generator (webui_updater_scan): 'runFileOp cp <manager-tmp>' can't
  read the manager's 0600 mktemp as the container user, so it fell through to a
  manager 'cp' that EACCES'd on the container-owned out_dir. Switched the three
  writes to 'runFileWrite < tmp' (manager shell reads the tmp; container user
  tees the write).

Both deploy via the normal quick path (relocatable scripts) — no footprint bump,
no reinstall.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 02:33:10 +01:00

24 lines
859 B
Bash

#!/bin/bash
# Laravel-style APP_KEY placeholders.
# Bookstack (and other Laravel apps) expect APP_KEY=base64:<32-byte
# base64> — refuses to boot otherwise. We swap RANDOMIZEDAPPKEY<N>
# placeholders with a freshly generated value.
replaceLaravelAppKeys()
{
local file="$1"
local existing_placeholders=$(runCfgOp grep -oE 'RANDOMIZEDAPPKEY[0-9]*' "$file" 2>/dev/null | sort -u)
if [[ -n "$existing_placeholders" ]]; then
while IFS= read -r placeholder; do
if [[ -n "$placeholder" ]]; then
local app_key
app_key="base64:$(openssl rand -base64 32)"
runCfgOp sed -i "s#${placeholder}#${app_key}#g" "$file"
checkSuccess "Updated ${placeholder} in $(basename "$file") with a new Laravel APP_KEY."
fi
done <<< "$existing_placeholders"
fi
}