LibrePortal/scripts/docker/command/docker_run_install.sh
librelad 49c1a23221 fix(rootless): run install-user commands via sudo -u, not SSH
dockerCommandRunInstallUser ssh'd to <user>@localhost, but nothing set up an
SSH server/keys/authorized_keys, so every rootless setup command (daemon
install, systemctl --user) silently no-op'd. Replace with 'sudo -u <user> env
…' that sets XDG_RUNTIME_DIR / DBUS_SESSION_BUS_ADDRESS / DOCKER_HOST / PATH
explicitly; linger keeps the user systemd + /run/user/<uid> alive so
systemctl --user works. No SSH server, no keys, less attack surface, and
sudo -u to an unprivileged user is not a root escalation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 21:42:29 +01:00

45 lines
1.7 KiB
Bash
Executable File

#!/bin/bash
# Run a command as the unprivileged rootless Docker install user.
#
# This used to ssh to <user>@localhost to get a fully-initialised user session
# (so `systemctl --user` and the rootless dockerd would work). That needs an SSH
# server, a generated key and authorized_keys — none of which the install set
# up, so the whole rootless path silently no-op'd. Instead run via `sudo -u`
# with the session env set explicitly: `loginctl enable-linger` (done during
# rootless setup) keeps the user's `systemd --user` and /run/user/<uid> alive,
# so `systemctl --user` works, and DOCKER_HOST points at the rootless socket.
# `sudo -u` to an unprivileged user is not a root escalation, and there's no SSH
# attack surface.
dockerCommandRunInstallUser()
{
local silent_flag=""
if [ "$1" == "--silent" ]; then
silent_flag="$1"
shift
fi
local remote_command="$1"
local uid
uid=$(id -u "$CFG_DOCKER_INSTALL_USER" 2>/dev/null)
if [ -z "$uid" ]; then
isError "Cannot run as '$CFG_DOCKER_INSTALL_USER' — user does not exist."
return 1
fi
# rootless docker installs its binaries to the user's ~/bin, so include it.
local run_env=(
"HOME=/home/$CFG_DOCKER_INSTALL_USER"
"XDG_RUNTIME_DIR=/run/user/$uid"
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus"
"DOCKER_HOST=unix:///run/user/$uid/docker.sock"
"PATH=/home/$CFG_DOCKER_INSTALL_USER/bin:/usr/bin:/bin:/usr/local/bin"
)
if [ -n "$silent_flag" ]; then
sudo -u "$CFG_DOCKER_INSTALL_USER" env "${run_env[@]}" bash -c "$remote_command" >/dev/null 2>&1
else
sudo -u "$CFG_DOCKER_INSTALL_USER" env "${run_env[@]}" bash -c "$remote_command"
fi
}