From 965b67e6fc34e6dcb0a951686a4326a06180bf82 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sat, 9 May 2026 01:44:26 +0200 Subject: [PATCH] fix(l4d2-host): script-sandbox normalizes file perms so web user can read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cedapug's build script writes .cedapug/manifest.tsv with mode 0600 owned by l4d2-sandbox; the web service (left4me uid) then 500s when streaming that file via the download route — PermissionError on open(). Two fixes: - UMask=0022 on the systemd-run unit so new file writes default to 0644 / dirs to 0755. - Post-script chmod o+r/o+rx walk over the overlay dir to backfill any stricter modes the script left behind (e.g. shells/tools that ignore umask and explicitly create with 0600). The helper no longer execs systemd-run; it captures the rc, runs the post-step, and exits with the original rc. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../local/libexec/left4me/left4me-script-sandbox | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox b/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox index c216f56..e331607 100755 --- a/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox +++ b/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox @@ -42,9 +42,11 @@ fi chown -R l4d2-sandbox:l4d2-sandbox "$OVERLAY_DIR" chmod 0755 "$OVERLAY_DIR" -exec systemd-run --quiet --collect --wait --pipe \ +SCRIPT_RC=0 +systemd-run --quiet --collect --wait --pipe \ --unit="left4me-script-${OVERLAY_ID}-$$" \ -p User=l4d2-sandbox -p Group=l4d2-sandbox \ + -p UMask=0022 \ -p NoNewPrivileges=yes \ -p ProtectSystem=strict -p ProtectHome=yes \ -p PrivateTmp=yes -p PrivateDevices=yes -p PrivateIPC=yes \ @@ -65,4 +67,14 @@ exec systemd-run --quiet --collect --wait --pipe \ -p Environment="HOME=/tmp PATH=/usr/bin:/usr/sbin OVERLAY=/overlay" \ -p MemoryMax=4G -p MemorySwapMax=0 -p TasksMax=512 \ -p CPUQuota=200% -p RuntimeMaxSec=3600 \ - -- /bin/bash /script.sh + -- /bin/bash /script.sh || SCRIPT_RC=$? + +# Normalize perms so the web service (left4me uid) can read overlay files +# directly via Python open() — needed by the file tree's download endpoint. +# UMask=0022 above takes care of *new* writes; this catches anything the +# script created with a tighter mode (e.g. cedapug_maps writes its +# .cedapug/manifest.tsv as 0600 by default). +find "$OVERLAY_DIR" -type f ! -perm -o+r -exec chmod o+r {} + 2>/dev/null || true +find "$OVERLAY_DIR" -type d ! -perm -o+rx -exec chmod o+rx {} + 2>/dev/null || true + +exit $SCRIPT_RC