librelad 8e0d662a16 refactor(perms): one source of truth for container ownership
The install/start paths and the switch reconcile managed /docker ownership
separately, so a fresh install produced different ownership than a post-switch
state — the root cause of the rootless 'touch: Permission denied' storm.

Consolidate onto the reconcile model:
- dockerContainerOwner(): single definition of the mode's container owner
  (rooted -> manager, rootless -> config-authoritative docker install user).
- reconcileContainersTopOwnership(): owns + makes traversable the structural
  containers/ top dir; now also run by the switch reconcile (previously only
  the install pass set it, so a rootless->rooted switch left it stale).
- reconcileWebuiDirOwnership(): now uses dockerContainerOwner.
- reconcileDockerOwnership(): calls both helpers.
- fixFolderPermissions(): slimmed to the +x traversal bits; its ad-hoc
  containers/ chown is now the shared helper.
- fixPermissionsBeforeStart(): drop changeRootOwnedFilesAndFolders (a
  pre-de-sudo band-aid that only fixed root-owned files and ran contrary to
  the don't-touch-third-party-data rule); reconcile the WebUI dir via the
  shared helper instead. Delete the now-unused root_files_folders.sh and
  regenerate the source arrays.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 13:46:12 +01:00

35 lines
1.3 KiB
Bash
Executable File

#!/bin/bash
fixPermissionsBeforeStart()
{
local app_name="$1"
local flag="$2"
if [[ $flag == "update" ]]; then
isHeader "Updating File/Folder Permissions"
fi
fixAppFolderPermissions;
changeRootOwnedFile $docker_dir/$db_file $sudo_user_name
# The regenerable WebUI dir is reconciled to the mode's container owner via
# the shared helper (same code path as install + switch). Third-party app
# data ownership is established at install/restore time, not blanket-chowned
# here — a wrong-owner chown would break permission-strict apps.
if [[ "$app_name" == "libreportal" ]]; then
reconcileWebuiDirOwnership
fi
# Traefik
if [ -f "${containers_dir}traefik/etc/certs/acme.json" ]; then
updateFileOwnership "${containers_dir}traefik/etc/certs/acme.json" $docker_install_user $docker_install_user
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/certs/acme.json")
checkSuccess "Set permissions to acme.json file for traefik"
fi
if [ -f "${containers_dir}traefik/etc/traefik.yml" ]; then
updateFileOwnership "${containers_dir}traefik/etc/traefik.yml" $docker_install_user $docker_install_user
local result=$(sudo chmod 600 "${containers_dir}traefik/etc/traefik.yml")
checkSuccess "Set permissions to traefik.yml file for traefik"
fi
}