librelad 9af2465ffe feat(desudo): socket + systemd-svc helpers; route traefik/db chowns + svc
Move the last runtime-critical root file-primitive subsystems behind
root-owned helpers so the type switcher + task service work under a scoped
sudoers:

- scripts/system/libreportal-socket: {rootless|rooted} {on|off} chmod of
  the docker sockets (paths computed from config, not caller-supplied;
  exit 3 = absent so the *_found flags come from its exit code)
- scripts/system/libreportal-svc: GENERATES + installs the systemd unit
  from config (mode/uid/baked manager) — never accepts unit content from
  the caller (arbitrary unit = root). Idempotent install/enable/restart.
- ownership helper: add db-own + app-file <app> <relpath> actions
- run_privileged: runSocket / runSvc
- set_socket_permissions -> runSocket; webui_install_systemd -> runSvc
  (+ crontab cleanup runs as the manager directly, no sudo -u self)
- before_start: db chown -> runOwnership db-own; traefik cert/yml ->
  runOwnership app-file (retires updateFileOwnership/changeRootOwnedFile)
- init.sh installs all five helpers

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 18:28:56 +01:00

35 lines
1.2 KiB
Bash
Executable File

#!/bin/bash
fixPermissionsBeforeStart()
{
local app_name="$1"
local flag="$2"
if [[ $flag == "update" ]]; then
isHeader "Updating File/Folder Permissions"
fi
fixAppFolderPermissions;
runOwnership db-own
# The regenerable WebUI dir is reconciled to the mode's container owner via
# the shared helper (same code path as install + switch). Third-party app
# data ownership is established at install/restore time, not blanket-chowned
# here — a wrong-owner chown would break permission-strict apps.
if [[ "$app_name" == "libreportal" ]]; then
reconcileWebuiDirOwnership
fi
# Traefik
if [ -f "${containers_dir}traefik/etc/certs/acme.json" ]; then
runOwnership app-file traefik etc/certs/acme.json
local result=$(runFileOp chmod 600 "${containers_dir}traefik/etc/certs/acme.json")
checkSuccess "Set permissions to acme.json file for traefik"
fi
if [ -f "${containers_dir}traefik/etc/traefik.yml" ]; then
runOwnership app-file traefik etc/traefik.yml
local result=$(runFileOp chmod 600 "${containers_dir}traefik/etc/traefik.yml")
checkSuccess "Set permissions to traefik.yml file for traefik"
fi
}