Under Model A the runtime runs as the manager, so establishing the /docker ownership model needs root. Granting the manager a blanket 'sudo chown'/'sudo chmod' in the scoped sudoers would be root-equivalent (chown /etc/sudoers, ...). Introduce a self-contained, root-owned helper that performs only a FIXED set of reconciles on FIXED LibrePortal paths, with owners derived from config + a baked manager name (never the caller) and a strictly-validated app-name argument. - scripts/system/libreportal-ownership: the helper (actions: reconcile, traversal, containers-top, app-perms, webui, taskdir, app-data-nobody) - run_privileged: runOwnership wrapper (sudo the installed helper; run the bundled copy directly when already root mid-install) - init.sh: installOwnershipHelper bakes the manager name and installs it root:root 0755 to /usr/local/sbin (manager can't modify it) - libreportal_folders/app_folder/app_update_specifics/task processor: delegate the ownership chowns to runOwnership instead of runSystem chown This removes chown/chmod-on-/docker from the runtime sudo surface, a prerequisite for a non-root-equivalent scoped sudoers. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
46 lines
1.5 KiB
Bash
Executable File
46 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
appUpdateSpecifics()
|
|
{
|
|
local app_name="$1"
|
|
|
|
# Initialize setup.
|
|
initializeAppVariables $app_name;
|
|
|
|
if [[ $app_name == "adguard" ]] || [[ $app_name == "pihole" ]]; then
|
|
if [[ $CFG_REQUIREMENT_DNS_UPDATER == "true" ]]; then
|
|
updateDNS $app_name install;
|
|
fi
|
|
# Split-horizon local DNS: app subdomains resolve to the box on the LAN.
|
|
declare -F setupLocalDnsRewrites >/dev/null 2>&1 && setupLocalDnsRewrites
|
|
fi
|
|
|
|
if [[ $app_name == "libreportal" ]]; then
|
|
webuiLibrePortalUpdate;
|
|
fi
|
|
|
|
if [[ $app_name == "dashy" ]]; then
|
|
# Refresh apps-services.json (the source of truth that
|
|
# appDashyUpdateConf reads) before generating dashy's conf.yml.
|
|
# On a first dashy install the file may not yet reflect dashy
|
|
# itself; on a re-install the previous selection survives.
|
|
webuiLibrePortalUpdate;
|
|
appDashyUpdateConf;
|
|
fi
|
|
|
|
if [[ $app_name == "focalboard" ]]; then
|
|
# Focalboard runs as nobody (65534) and writes its sqlite db + uploads
|
|
# under its mounted data dir; fixPermissionsBeforeStart hands the dir to
|
|
# the install user, so give it to 65534 here or the server can't open
|
|
# the database. Restart so it picks the dir up.
|
|
runOwnership app-data-nobody "$app_name";
|
|
shouldrestart="true";
|
|
fi
|
|
|
|
if [[ $shouldrestart == "true" ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
|
|
isSuccessful "All application specific updates have been completed."
|
|
}
|