github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix(podman): avoid root writes to user home

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 21:33:49 +01:00
parent 0e8ec83742
commit b2a4283c36
1 changed files with 24 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
setup-podman.sh
View File

@@ -50,6 +50,12 @@ run_as_user() {
fi
}
run_as_openclaw() {
# Avoid root writes into $OPENCLAW_HOME (symlink/hardlink/TOCTOU footguns).
# Anything under the target user's home should be created/modified as that user.
run_as_user "$OPENCLAW_USER" env HOME="$OPENCLAW_HOME" "$@"
}
# Quadlet: opt-in via --quadlet or OPENCLAW_PODMAN_QUADLET=1
INSTALL_QUADLET=false
for arg in "$@"; do
@@ -170,34 +176,30 @@ if ! grep -q "^${OPENCLAW_USER}:" /etc/subuid 2>/dev/null; then
fi
echo "Creating $OPENCLAW_CONFIG and workspace..."
run_root mkdir -p "$OPENCLAW_CONFIG/workspace"
run_root chown -R "$OPENCLAW_USER:" "$OPENCLAW_CONFIG"
run_root chmod 700 "$OPENCLAW_CONFIG" "$OPENCLAW_CONFIG/workspace" 2>/dev/null || true
run_as_openclaw mkdir -p "$OPENCLAW_CONFIG/workspace"
run_as_openclaw chmod 700 "$OPENCLAW_CONFIG" "$OPENCLAW_CONFIG/workspace" 2>/dev/null || true
ENV_FILE="$OPENCLAW_CONFIG/.env"
if [[ -f "$ENV_FILE" ]]; then
if ! grep -q '^OPENCLAW_GATEWAY_TOKEN=' "$ENV_FILE" 2>/dev/null; then
if run_as_openclaw test -f "$ENV_FILE"; then
if ! run_as_openclaw grep -q '^OPENCLAW_GATEWAY_TOKEN=' "$ENV_FILE" 2>/dev/null; then
TOKEN="$(generate_token_hex_32)"
echo "OPENCLAW_GATEWAY_TOKEN=$TOKEN" | run_root tee -a "$ENV_FILE" >/dev/null
printf 'OPENCLAW_GATEWAY_TOKEN=%s\n' "$TOKEN" | run_as_openclaw tee -a "$ENV_FILE" >/dev/null
echo "Added OPENCLAW_GATEWAY_TOKEN to $ENV_FILE."
fi
run_root chown "$OPENCLAW_USER:" "$ENV_FILE"
run_root chmod 600 "$ENV_FILE" 2>/dev/null || true
run_as_openclaw chmod 600 "$ENV_FILE" 2>/dev/null || true
else
TOKEN="$(generate_token_hex_32)"
echo "OPENCLAW_GATEWAY_TOKEN=$TOKEN" | run_root tee "$ENV_FILE" >/dev/null
run_root chown "$OPENCLAW_USER:" "$ENV_FILE"
run_root chmod 600 "$ENV_FILE" 2>/dev/null || true
printf 'OPENCLAW_GATEWAY_TOKEN=%s\n' "$TOKEN" | run_as_openclaw tee "$ENV_FILE" >/dev/null
run_as_openclaw chmod 600 "$ENV_FILE" 2>/dev/null || true
echo "Created $ENV_FILE with new token."
fi
# The gateway refuses to start unless gateway.mode=local is set in config.
# Make first-run non-interactive; users can run the wizard later to configure channels/providers.
OPENCLAW_JSON="$OPENCLAW_CONFIG/openclaw.json"
if [[ ! -f "$OPENCLAW_JSON" ]]; then
echo '{ gateway: { mode: "local" } }' | run_root tee "$OPENCLAW_JSON" >/dev/null
run_root chown "$OPENCLAW_USER:" "$OPENCLAW_JSON"
run_root chmod 600 "$OPENCLAW_JSON" 2>/dev/null || true
if ! run_as_openclaw test -f "$OPENCLAW_JSON"; then
printf '%s\n' '{ gateway: { mode: "local" } }' | run_as_openclaw tee "$OPENCLAW_JSON" >/dev/null
run_as_openclaw chmod 600 "$OPENCLAW_JSON" 2>/dev/null || true
echo "Created $OPENCLAW_JSON (minimal gateway.mode=local)."
fi
@@ -214,17 +216,18 @@ rm -f "$TMP_IMAGE"
trap - EXIT
echo "Copying launch script to $LAUNCH_SCRIPT_DST..."
run_root cp "$RUN_SCRIPT_SRC" "$LAUNCH_SCRIPT_DST"
run_root chown "$OPENCLAW_USER:" "$LAUNCH_SCRIPT_DST"
run_root chmod 755 "$LAUNCH_SCRIPT_DST"
run_root cat "$RUN_SCRIPT_SRC" | run_as_openclaw tee "$LAUNCH_SCRIPT_DST" >/dev/null
run_as_openclaw chmod 755 "$LAUNCH_SCRIPT_DST"
# Optionally install systemd quadlet for openclaw user (rootless Podman + systemd)
QUADLET_DIR="$OPENCLAW_HOME/.config/containers/systemd"
if [[ "$INSTALL_QUADLET" == true && -f "$QUADLET_TEMPLATE" ]]; then
echo "Installing systemd quadlet for $OPENCLAW_USER..."
run_root mkdir -p "$QUADLET_DIR"
sed "s|{{OPENCLAW_HOME}}|$OPENCLAW_HOME|g" "$QUADLET_TEMPLATE" | run_root tee "$QUADLET_DIR/openclaw.container" >/dev/null
run_root chown -R "$OPENCLAW_USER:" "$QUADLET_DIR"
run_as_openclaw mkdir -p "$QUADLET_DIR"
OPENCLAW_HOME_SED="$(printf '%s' "$OPENCLAW_HOME" | sed -e 's/[\\/&|]/\\\\&/g')"
sed "s|{{OPENCLAW_HOME}}|$OPENCLAW_HOME_SED|g" "$QUADLET_TEMPLATE" | run_as_openclaw tee "$QUADLET_DIR/openclaw.container" >/dev/null
run_as_openclaw chmod 700 "$OPENCLAW_HOME/.config" "$OPENCLAW_HOME/.config/containers" "$QUADLET_DIR" 2>/dev/null || true
run_as_openclaw chmod 600 "$QUADLET_DIR/openclaw.container" 2>/dev/null || true
if command -v systemctl &>/dev/null; then
run_root systemctl --machine "${OPENCLAW_USER}@" --user daemon-reload 2>/dev/null || true
run_root systemctl --machine "${OPENCLAW_USER}@" --user enable openclaw.service 2>/dev/null || true