cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(l4d2-web): ScriptBuilder — chmod script tmpfile to 0644 for sandbox read

Browse source 
NamedTemporaryFile creates the script file at mode 0600 owned by the
left4me web user. The sandbox runs as l4d2-sandbox and bwrap bind-mounts
the file read-only at /script.sh, but the kernel still enforces the
underlying file's permissions — l4d2-sandbox can't read 0600 left4me
files, so /bin/bash /script.sh fails with "Permission denied".

Script content is not a secret (it's stored in the DB and editable by
the user), so 0644 is appropriate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-08 16:18:00 +02:00
parent cf865d4915
commit 908bca3687
No known key found for this signature in database
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
l4d2web/services/overlay_builders.py
View file

@ -192,6 +192,11 @@ def run_sandboxed_script(
with tempfile.NamedTemporaryFile("w", suffix=".sh", delete=False) as f: with tempfile.NamedTemporaryFile("w", suffix=".sh", delete=False) as f:
f.write(script_text or "") f.write(script_text or "")
script_path = f.name script_path = f.name
# NamedTemporaryFile creates 0600 owned by the web user; the sandbox runs
# as l4d2-sandbox and needs to read it (bind-mounted at /script.sh inside
# the sandbox). Script content is not a secret — it's plain bash stored
# in the DB and editable by the user — so 0644 is appropriate.
os.chmod(script_path, 0o644)
try: try:
cmd = [ cmd = [
"sudo", "sudo",