Convert the remaining ad-hoc 'sudo' calls across the data plane to the run_privileged helpers so every file op lands as the correct owner with no blanket root: - DB/configs (manager-owned): db_list_all_apps, delete_db_file, install_sqlite, cli_webui_commands -> runInstallOp - containers (dockerinstall-owned): scan_container_socket, delete_data, webui_task_files, webui_app_log, webui_config_patch, application_missing_variables, uninstall_app -> runFileOp/runFileWrite - genuine root: passwd, tailscale, ufw-docker, sysctl grep, systemd unit read, authorized_keys read, nobody chown -> runSystem - interactive editors and 'id -u': drop sudo entirely (run as caller) - owncloud/adguard container-UID config edits -> runSystem (funnel; docker-exec rework deferred) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
46 lines
1.5 KiB
Bash
Executable File
46 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
appUpdateSpecifics()
|
|
{
|
|
local app_name="$1"
|
|
|
|
# Initialize setup.
|
|
initializeAppVariables $app_name;
|
|
|
|
if [[ $app_name == "adguard" ]] || [[ $app_name == "pihole" ]]; then
|
|
if [[ $CFG_REQUIREMENT_DNS_UPDATER == "true" ]]; then
|
|
updateDNS $app_name install;
|
|
fi
|
|
# Split-horizon local DNS: app subdomains resolve to the box on the LAN.
|
|
declare -F setupLocalDnsRewrites >/dev/null 2>&1 && setupLocalDnsRewrites
|
|
fi
|
|
|
|
if [[ $app_name == "libreportal" ]]; then
|
|
webuiLibrePortalUpdate;
|
|
fi
|
|
|
|
if [[ $app_name == "dashy" ]]; then
|
|
# Refresh apps-services.json (the source of truth that
|
|
# appDashyUpdateConf reads) before generating dashy's conf.yml.
|
|
# On a first dashy install the file may not yet reflect dashy
|
|
# itself; on a re-install the previous selection survives.
|
|
webuiLibrePortalUpdate;
|
|
appDashyUpdateConf;
|
|
fi
|
|
|
|
if [[ $app_name == "focalboard" ]]; then
|
|
# Focalboard runs as nobody (65534) and writes its sqlite db + uploads
|
|
# under its mounted data dir; fixPermissionsBeforeStart hands the dir to
|
|
# the install user, so give it to 65534 here or the server can't open
|
|
# the database. Restart so it picks the dir up.
|
|
runSystem chown -R 65534:65534 "$containers_dir$app_name/data";
|
|
shouldrestart="true";
|
|
fi
|
|
|
|
if [[ $shouldrestart == "true" ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
|
|
isSuccessful "All application specific updates have been completed."
|
|
}
|