From b18df731ab5bf9bc26c153b36e8d0450511fae0f Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Fri, 16 May 2025 11:29:42 -0400 Subject: [PATCH 1/2] add device perm fixing to base --- .../dependencies.d/init-adduser | 0 .../s6-overlay/s6-rc.d/init-device-perms/run | 37 +++++++++++++++++++ .../s6-overlay/s6-rc.d/init-device-perms/type | 1 + .../s6-overlay/s6-rc.d/init-device-perms/up | 1 + .../dependencies.d/init-device-perms | 0 .../s6-rc.d/user/contents.d/init-device-perms | 0 6 files changed, 39 insertions(+) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-device-perms/dependencies.d/init-adduser create mode 100755 root/etc/s6-overlay/s6-rc.d/init-device-perms/run create mode 100644 root/etc/s6-overlay/s6-rc.d/init-device-perms/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-device-perms/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-device-perms create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-device-perms diff --git a/root/etc/s6-overlay/s6-rc.d/init-device-perms/dependencies.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/init-device-perms/dependencies.d/init-adduser new file mode 100644 index 00000000..e69de29b diff --git a/root/etc/s6-overlay/s6-rc.d/init-device-perms/run b/root/etc/s6-overlay/s6-rc.d/init-device-perms/run new file mode 100755 index 00000000..8ba102e3 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-device-perms/run @@ -0,0 +1,37 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +if [[ -z ${LSIO_NON_ROOT_USER} ]]; then + FILES=$(find ${ATTACHED_DEVICES_PERMS} -print 2>/dev/null) + + for i in ${FILES}; do + FILE_GID=$(stat -c '%g' "${i}") + FILE_UID=$(stat -c '%u' "${i}") + # check if user matches device + if id -u abc | grep -qw "${FILE_UID}"; then + echo "**** permissions for ${i} are good ****" + else + # check if group matches and that device has group rw + if id -G abc | grep -qw "${FILE_GID}" && [[ $(stat -c '%A' "${i}" | cut -b 5,6) == "rw" ]]; then + echo "**** permissions for ${i} are good ****" + # check if device needs to be added to group + elif ! id -G abc | grep -qw "${FILE_GID}"; then + # check if group needs to be created + GROUP_NAME=$(getent group "${FILE_GID}" | awk -F: '{print $1}') + if [[ -z "${GROUP_NAME}" ]]; then + GROUP_NAME="group$(head /dev/urandom | tr -dc 'a-z0-9' | head -c4)" + groupadd "${GROUP_NAME}" + groupmod -g "${FILE_GID}" "${GROUP_NAME}" + echo "**** creating group ${GROUP_NAME} with id ${FILE_GID} ****" + fi + echo "**** adding ${i} to group ${GROUP_NAME} with id ${FILE_GID} ****" + usermod -a -G "${GROUP_NAME}" abc + fi + # check if device has group rw + if [[ $(stat -c '%A' "${i}" | cut -b 5,6) != "rw" ]]; then + echo -e "**** The device ${i} does not have group read/write permissions, attempting to fix inside the container. ****" + chmod g+rw "${i}" + fi + fi + done +fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-device-perms/type b/root/etc/s6-overlay/s6-rc.d/init-device-perms/type new file mode 100644 index 00000000..3d92b15f --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-device-perms/type @@ -0,0 +1 @@ +oneshot \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-device-perms/up b/root/etc/s6-overlay/s6-rc.d/init-device-perms/up new file mode 100644 index 00000000..050e0b29 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-device-perms/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-device-perms/run \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-device-perms b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-device-perms new file mode 100644 index 00000000..e69de29b diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-device-perms b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-device-perms new file mode 100644 index 00000000..e69de29b From 907538b3425cfcbdb5ff6a98485a32acff157d2f Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Fri, 16 May 2025 12:35:50 -0400 Subject: [PATCH 2/2] run only when env is set --- root/etc/s6-overlay/s6-rc.d/init-device-perms/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-device-perms/run b/root/etc/s6-overlay/s6-rc.d/init-device-perms/run index 8ba102e3..18412b87 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-device-perms/run +++ b/root/etc/s6-overlay/s6-rc.d/init-device-perms/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if [[ -z ${LSIO_NON_ROOT_USER} ]]; then +if [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ -n ${ATTACHED_DEVICES_PERMS} ]]; then FILES=$(find ${ATTACHED_DEVICES_PERMS} -print 2>/dev/null) for i in ${FILES}; do