left4me

History

mwiegand f6ca85fc6f fix(deploy): chown left4me.db to left4me:left4me, not root:left4me The v2 hardening tightened the DB to mode 0640 owned by root:left4me, intending to block reads from the sandbox uid (l4d2-sandbox, not in the left4me group). It did — but it also took away write access from the web service itself, which runs as user left4me. With root owning the file, left4me only had group-read; INSERTs into the jobs table failed with "attempt to write a readonly database" and surfaced as a 500 on POST /overlays/{id}/script. Owner left4me + group left4me + mode 0640 keeps the same external posture (l4d2-sandbox gets nothing via "other") while restoring the web service's read+write access via "owner". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 17:09:47 +02:00
..
test_deploy_artifacts.py	fix(deploy): chown left4me.db to left4me:left4me, not root:left4me	2026-05-08 17:09:47 +02:00

fix(deploy): chown left4me.db to left4me:left4me, not root:left4me

The v2 hardening tightened the DB to mode 0640 owned by root:left4me,
intending to block reads from the sandbox uid (l4d2-sandbox, not in the
left4me group). It did — but it also took away write access from the web
service itself, which runs as user left4me. With root owning the file,
left4me only had group-read; INSERTs into the jobs table failed with
"attempt to write a readonly database" and surfaced as a 500 on POST
/overlays/{id}/script.

Owner left4me + group left4me + mode 0640 keeps the same external
posture (l4d2-sandbox gets nothing via "other") while restoring the
web service's read+write access via "owner".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-08 17:09:47 +02:00

test_deploy_artifacts.py

fix(deploy): chown left4me.db to left4me:left4me, not root:left4me

2026-05-08 17:09:47 +02:00