Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted was byte-identical/fine): 1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read -> can't open container netns -> rootless dockerd never starts). Default CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable for hosts that relax the profile. 2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned, not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts (libreportal_folders, app_folder) to runSystem — they must run as root to establish ownership during install. Container files (/docker/containers/<app>) stay runFileOp. 3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which 'sysctl --system' does not read -> never applied. Write them to /etc/sysctl.d/99-libreportal-hardening.conf instead. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
29 lines
1.0 KiB
Bash
Executable File
29 lines
1.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
fixFolderPermissions()
|
|
{
|
|
local silent_flag="$1"
|
|
local app_name="$2"
|
|
|
|
local result=$(runSystem chmod +x "$docker_dir" > /dev/null 2>&1)
|
|
if [ "$silent_flag" == "loud" ]; then
|
|
checkSuccess "Updating $docker_dir with execute permissions."
|
|
fi
|
|
|
|
local result=$(runSystem chmod +x "$containers_dir" > /dev/null 2>&1)
|
|
if [ "$silent_flag" == "loud" ]; then
|
|
checkSuccess "Updating $containers_dir with execute permissions."
|
|
fi
|
|
|
|
local result=$(runSystem find "$script_dir" "$ssl_dir" "$ssh_dir" "$backup_dir" "$restore_dir" "$migrate_dir" -maxdepth 2 -type d -exec chmod +x {} \;)
|
|
if [ "$silent_flag" == "loud" ]; then
|
|
checkSuccess "Adding execute permissions for $docker_install_user user"
|
|
fi
|
|
|
|
# Install user related
|
|
local result=$(runSystem chown $docker_install_user:$docker_install_user "$containers_dir" > /dev/null 2>&1)
|
|
if [ "$silent_flag" == "loud" ]; then
|
|
checkSuccess "Updating $containers_dir with $docker_install_user ownership"
|
|
fi
|
|
}
|