The backup engine already drops to the backup user (sudo -E -u $docker_install_user) and backupLocationOwner == $docker_install_user, which is exactly what runFileOp/runFileWrite resolve to in both modes. So convert the raw-sudo data ops (mkdir/chmod/rm/find/cat/grep/mv/chown/tee on backup repos, location configs, keys, manifests) to runFileOp/runFileWrite — creating files as the owner directly, no root chown. backup_verify creates its scratch as the backup user (runFileOp mktemp) instead of chown-after. Binary installs (kopia tar/install, borg dnf) -> runSystem. The 44 sudo -u engine drops stay (already least-privilege; the scoped sudoers will grant them). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
19 lines
594 B
Bash
19 lines
594 B
Bash
#!/bin/bash
|
|
|
|
# Source every per-location location.config file so the CFG_BACKUP_LOC_<idx>_*
|
|
# variables are available in the env. Called from the libreportal_configs
|
|
# scan path (see scripts/source/loading/scan_files.sh) so it runs at the
|
|
# same time as the rest of the config files.
|
|
|
|
sourceBackupLocations()
|
|
{
|
|
local dir
|
|
dir=$(backupLocationsDir)
|
|
[[ ! -d "$dir" ]] && return 0
|
|
|
|
local cfg
|
|
while IFS= read -r -d '' cfg; do
|
|
[[ -f "$cfg" ]] && source "$cfg"
|
|
done < <(runFileOp find "$dir" -mindepth 2 -maxdepth 2 -name location.config -type f -print0 2>/dev/null)
|
|
}
|