The install/start paths and the switch reconcile managed /docker ownership separately, so a fresh install produced different ownership than a post-switch state — the root cause of the rootless 'touch: Permission denied' storm. Consolidate onto the reconcile model: - dockerContainerOwner(): single definition of the mode's container owner (rooted -> manager, rootless -> config-authoritative docker install user). - reconcileContainersTopOwnership(): owns + makes traversable the structural containers/ top dir; now also run by the switch reconcile (previously only the install pass set it, so a rootless->rooted switch left it stale). - reconcileWebuiDirOwnership(): now uses dockerContainerOwner. - reconcileDockerOwnership(): calls both helpers. - fixFolderPermissions(): slimmed to the +x traversal bits; its ad-hoc containers/ chown is now the shared helper. - fixPermissionsBeforeStart(): drop changeRootOwnedFilesAndFolders (a pre-de-sudo band-aid that only fixed root-owned files and ran contrary to the don't-touch-third-party-data rule); reconcile the WebUI dir via the shared helper instead. Delete the now-unused root_files_folders.sh and regenerate the source arrays. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
35 lines
1.3 KiB
Bash
Executable File
35 lines
1.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
fixPermissionsBeforeStart()
|
|
{
|
|
local app_name="$1"
|
|
local flag="$2"
|
|
|
|
if [[ $flag == "update" ]]; then
|
|
isHeader "Updating File/Folder Permissions"
|
|
fi
|
|
|
|
fixAppFolderPermissions;
|
|
changeRootOwnedFile $docker_dir/$db_file $sudo_user_name
|
|
|
|
# The regenerable WebUI dir is reconciled to the mode's container owner via
|
|
# the shared helper (same code path as install + switch). Third-party app
|
|
# data ownership is established at install/restore time, not blanket-chowned
|
|
# here — a wrong-owner chown would break permission-strict apps.
|
|
if [[ "$app_name" == "libreportal" ]]; then
|
|
reconcileWebuiDirOwnership
|
|
fi
|
|
|
|
# Traefik
|
|
if [ -f "${containers_dir}traefik/etc/certs/acme.json" ]; then
|
|
updateFileOwnership "${containers_dir}traefik/etc/certs/acme.json" $docker_install_user $docker_install_user
|
|
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/certs/acme.json")
|
|
checkSuccess "Set permissions to acme.json file for traefik"
|
|
fi
|
|
if [ -f "${containers_dir}traefik/etc/traefik.yml" ]; then
|
|
updateFileOwnership "${containers_dir}traefik/etc/traefik.yml" $docker_install_user $docker_install_user
|
|
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/traefik.yml")
|
|
checkSuccess "Set permissions to traefik.yml file for traefik"
|
|
fi
|
|
}
|