Try to change ownership of files on SD card during installation (#155)

* Try to change ownership of files on SD card during installation When 'Allow root-privileged apps' is turned on, the post-install script will run as root, so it has the ability to change the ownership of the files on the SD card --------- Co-authored-by: Mattias Axelsson <mattiaax@axis.com> Co-authored-by: Madelen Andersson <madelen.andersson@axis.com> Co-authored-by: madelen-at-work <madelen-at-work@users.noreply.github.com>
AxisCommunications · May 2, 2024 · 9f5b06d · 9f5b06d
1 parent eaf94b9
commit 9f5b06d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -62,11 +62,15 @@ contains known limitations when running rootless Docker.
 <!-- omit in toc -->
 ### Known Issues
 
+- When using the SD card for this application, the file permissions can sometimes be set incorrectly
+  during an upgrade of the device firmware or the application.
+  See [Using an SD card as storage](#using-an-sd-card-as-storage) for information on how to handle this.
+
 - Only uid and gid are properly mapped between device and containers, not the secondary groups that the
 user is a member of. This means that resources on the device, even if they are volume or device mounted,
 can be inaccessible inside the container. This can also affect usage of unsupported D-Bus methods from
 the container. See [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container)
-for how to handle this.
+for information on how to handle this.
 
 ## Requirements
 
@@ -225,7 +229,8 @@ Following are the possible values of `Status`:
                                  correct file permissions to use it.
                                  The application is running but dockerd is stopped.
                                  Make sure no directories with the wrong user permissions are left on
-                                 the SD card, then restart the application.
+                                 the SD card, then restart the application. For further information see
+                                 [Using an SD card as storage](#using-an-sd-card-as-storage).
 
 ### Using TLS to secure the application
 
@@ -332,6 +337,9 @@ To get more informed about specifications, check the
 >remove the directory that is used by the application.
 >For versions before 2.0 the path was `/var/spool/storage/SD_DISK/dockerd`.
 >For versions from 2.0 the path is `/var/spool/storage/areas/SD_DISK/<application-name>`.
+>Alternatively, this can be achieved by [allowing root-privileged apps][vapix-allow-root],
+>reinstalling the application, then disallowing root-privileged apps again,
+>since the post-install script will attempt to repair the permissions when running as root.
 
 ### Using the application
 

diff --git a/app/postinstallscript.sh b/app/postinstallscript.sh
@@ -11,3 +11,10 @@ if [ ! -e localdata/daemon.json ]; then
 	echo "{}" >localdata/daemon.json
 	[ "$(id -u)" -ne 0 ] || chown "$(stat -c %u.%g localdata)" localdata/daemon.json
 fi
+
+# ACAP framework does not handle ownership on SD card, which causes problem when the app user ID changes.
+# If run as root, this script will repair the ownership.
+SD_CARD_AREA=/var/spool/storage/SD_DISK/areas/"$(basename "$(pwd)")"
+if [ "$(id -u)" -eq 0 ] && [ -d "$SD_CARD_AREA" ]; then
+	chown -R "$(stat -c %u.%g localdata)" "$SD_CARD_AREA"
+fi