From 9f5b06d1b1647eb7fa8d9457268ebf118c9090be Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 2 May 2024 09:22:54 +0200
Subject: [PATCH] Try to change ownership of files on SD card during
 installation (#155)

* Try to change ownership of files on SD card during installation

When 'Allow root-privileged apps' is turned on,
the post-install script will run as root,
so it has the ability to change the ownership of the files on the SD card

---------

Co-authored-by: Mattias Axelsson <mattiaax@axis.com>
Co-authored-by: Madelen Andersson <madelen.andersson@axis.com>
Co-authored-by: madelen-at-work <madelen-at-work@users.noreply.github.com>
---
 README.md                | 12 ++++++++++--
 app/postinstallscript.sh |  7 +++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3e641f3..a5776fa 100644
--- a/README.md
+++ b/README.md
@@ -62,11 +62,15 @@ contains known limitations when running rootless Docker.
 <!-- omit in toc -->
 ### Known Issues
 
+- When using the SD card for this application, the file permissions can sometimes be set incorrectly
+  during an upgrade of the device firmware or the application.
+  See [Using an SD card as storage](#using-an-sd-card-as-storage) for information on how to handle this.
+
 - Only uid and gid are properly mapped between device and containers, not the secondary groups that the
 user is a member of. This means that resources on the device, even if they are volume or device mounted,
 can be inaccessible inside the container. This can also affect usage of unsupported D-Bus methods from
 the container. See [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container)
-for how to handle this.
+for information on how to handle this.
 
 ## Requirements
 
@@ -225,7 +229,8 @@ Following are the possible values of `Status`:
                                  correct file permissions to use it.
                                  The application is running but dockerd is stopped.
                                  Make sure no directories with the wrong user permissions are left on
-                                 the SD card, then restart the application.
+                                 the SD card, then restart the application. For further information see
+                                 [Using an SD card as storage](#using-an-sd-card-as-storage).
 
 ### Using TLS to secure the application
 
@@ -332,6 +337,9 @@ To get more informed about specifications, check the
 >remove the directory that is used by the application.
 >For versions before 2.0 the path was `/var/spool/storage/SD_DISK/dockerd`.
 >For versions from 2.0 the path is `/var/spool/storage/areas/SD_DISK/<application-name>`.
+>Alternatively, this can be achieved by [allowing root-privileged apps][vapix-allow-root],
+>reinstalling the application, then disallowing root-privileged apps again,
+>since the post-install script will attempt to repair the permissions when running as root.
 
 ### Using the application
 
diff --git a/app/postinstallscript.sh b/app/postinstallscript.sh
index 65eb963..c29c645 100644
--- a/app/postinstallscript.sh
+++ b/app/postinstallscript.sh
@@ -11,3 +11,10 @@ if [ ! -e localdata/daemon.json ]; then
 	echo "{}" >localdata/daemon.json
 	[ "$(id -u)" -ne 0 ] || chown "$(stat -c %u.%g localdata)" localdata/daemon.json
 fi
+
+# ACAP framework does not handle ownership on SD card, which causes problem when the app user ID changes.
+# If run as root, this script will repair the ownership.
+SD_CARD_AREA=/var/spool/storage/SD_DISK/areas/"$(basename "$(pwd)")"
+if [ "$(id -u)" -eq 0 ] && [ -d "$SD_CARD_AREA" ]; then
+	chown -R "$(stat -c %u.%g localdata)" "$SD_CARD_AREA"
+fi