Model A prototype (run start.sh AS the manager, escalate only via helpers): - check_root.sh: accept the manager user, not root-only (init.sh keeps its own install-time root check). - init.sh: guard the top-level root-check + installer entrypoint with BASH_SOURCE!=$0 so it runs ONLY when init.sh is executed directly; when start.sh sources it as the manager the entrypoint (and its root check) no longer fires. Also: convert bare daemon-touching 'docker' calls (no helper -> hit the nonexistent /var/run socket in rootless) to runFileOp docker across app_status, app_health_*, network_prune, ip_is_available, check_docker_network, backup_db (db dumps) and crontab_check_processor. cd&&compose rooted-branches and 'docker compose --version' checks left as-is (rooted-only / no daemon). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
17 lines
550 B
Bash
Executable File
17 lines
550 B
Bash
Executable File
#!/bin/bash
|
|
|
|
checkRootRequirement()
|
|
{
|
|
if [[ $CFG_REQUIREMENT_ROOT == "true" ]]; then
|
|
# Model A least-privilege: the app runs AS the manager user and escalates
|
|
# only specific commands via runSystem, so accept the manager as well as
|
|
# root — not root-only. (init.sh keeps its own install-time root check.)
|
|
local mgr="${sudo_user_name:-libreportal}"
|
|
if [[ $EUID -eq 0 || "$(id -un)" == "$mgr" ]]; then
|
|
isSuccessful "Running as $(id -un)."
|
|
else
|
|
echo "This script must be run as root or the manager user ($mgr)."
|
|
exit 1
|
|
fi
|
|
fi
|
|
} |