From ad83ae84e4656a2802088562a28b32a3550262a0 Mon Sep 17 00:00:00 2001 From: Othman Hendy Suseo Date: Sun, 21 Dec 2025 12:52:32 +0000 Subject: [PATCH] modified installer script --- installer/install.sh | 66 ++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 36 deletions(-) diff --git a/installer/install.sh b/installer/install.sh index 77675ae..15c8d16 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -485,32 +485,20 @@ install_dependencies() { echo "" } -# Create system user +# Create system user (optional - service runs as root) create_user() { - echo -e "${GREEN}Creating system user...${NC}" + echo -e "${GREEN}Note: Service will run as root (no user needed)${NC}" + # User creation is optional now since service runs as root + # But we still create it for file ownership purposes if needed if ! id "$SERVICE_USER" &>/dev/null; then - useradd -r -s /bin/false -d "$DATA_DIR" "$SERVICE_USER" - echo -e "${GREEN}User $SERVICE_USER created${NC}" - else - echo -e "${YELLOW}User $SERVICE_USER already exists${NC}" + useradd -r -s /bin/false -d "$DATA_DIR" "$SERVICE_USER" 2>/dev/null || { + echo -e "${YELLOW}User creation skipped (service runs as root)${NC}" + } fi - # Add user to disk group for block device access (required for ZFS) - if getent group disk > /dev/null 2>&1; then - usermod -a -G disk "$SERVICE_USER" - echo -e "${GREEN}Added $SERVICE_USER to disk group${NC}" - fi - - # Create sudoers configuration for ZFS commands - echo -e "${GREEN}Configuring sudo for ZFS operations...${NC}" - cat > /etc/sudoers.d/atlas-zfs </dev/null; then + chown -R "$SERVICE_USER:$SERVICE_USER" "$DATA_DIR" 2>/dev/null || true + chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR" 2>/dev/null || true + chown -R "$SERVICE_USER:$SERVICE_USER" "$BACKUP_DIR" 2>/dev/null || true + chown -R "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR" 2>/dev/null || true + chown -R "$SERVICE_USER:$SERVICE_USER" "/storage" 2>/dev/null || true + fi # Set permissions chmod 755 "$INSTALL_DIR" @@ -872,8 +863,10 @@ copy_web_files() { } fi - # Set ownership - chown -R "$SERVICE_USER:$SERVICE_USER" "$INSTALL_DIR/web" + # Set ownership (service runs as root) + if id "$SERVICE_USER" &>/dev/null; then + chown -R "$SERVICE_USER:$SERVICE_USER" "$INSTALL_DIR/web" 2>/dev/null || true + fi chmod -R 755 "$INSTALL_DIR/web" echo -e "${GREEN}Web files copied successfully${NC}" @@ -893,8 +886,8 @@ After=network.target zfs.target [Service] Type=simple -User=$SERVICE_USER -Group=$SERVICE_USER +# Service runs as root for ZFS and storage operations +# No User/Group specified - runs as root WorkingDirectory=$INSTALL_DIR ExecStart=$INSTALL_DIR/bin/atlas-api Restart=always @@ -911,13 +904,11 @@ Environment="ATLAS_LOG_LEVEL=INFO" Environment="ATLAS_LOG_FORMAT=json" # Security -# Note: NoNewPrivileges is set to false to allow sudo for ZFS operations -# This is necessary for ZFS pool management -NoNewPrivileges=false +# Service runs as root for ZFS operations (no sudo needed) PrivateTmp=true ProtectSystem=strict ProtectHome=true -ReadWritePaths=$DATA_DIR $LOG_DIR $BACKUP_DIR $CONFIG_DIR +ReadWritePaths=$DATA_DIR $LOG_DIR $BACKUP_DIR $CONFIG_DIR /storage /etc/samba /etc/exports [Install] WantedBy=multi-user.target @@ -959,7 +950,10 @@ ATLAS_LOG_FORMAT=json # ATLAS_JWT_SECRET=your-secret-here EOF - chown "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR/atlas.conf" + # Service runs as root, but set ownership for consistency + if id "$SERVICE_USER" &>/dev/null; then + chown "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR/atlas.conf" 2>/dev/null || true + fi chmod 600 "$CONFIG_DIR/atlas.conf" echo -e "${GREEN}Configuration created${NC}"