fix: permissions

hiddify · Nov 16, 2024 · aef5a9b · aef5a9b
1 parent fe17948
commit aef5a9b
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 14 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -72,7 +72,7 @@ jobs:
     needs:
       - make-upload-docker
     env:
-      LATEST: ${{ endsWith(github.ref_name , 'dev') && 'beta' ||'latest'}}
+      LATEST: "${{ github.ref_type == 'tag' && (endsWith(github.ref_name , 'dev') && 'beta' ||'latest') || 'dev' }}"
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4

diff --git a/common/install.sh b/common/install.sh
@@ -17,6 +17,9 @@ else
     sudo timedatectl set-timezone Asia/Tehran
 fi
 
+groupadd hiddify-common
+usermod -aG hiddify-common root
+
 # rm /run/resolvconf/interface/*
 #echo "nameserver 8.8.8.8" >/etc/resolv.conf
 #echo "nameserver 1.1.1.1" >>/etc/resolv.conf

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,25 +1,35 @@
-version: '3.8'
-
-
 services:
   hiddify:
+    #only for local build and development
+    #build: .
+
+    #latest release version
+    image: ghcr.io/hiddify/hiddify-manager:latest
+
+    #latest beta version
+    #image: ghcr.io/hiddify/hiddify-manager:beta
+
+    #latest build of current development
+    #image: ghcr.io/hiddify/hiddify-manager:dev
+
+    #specific version
+    #image: ghcr.io/hiddify/hiddify-manager:v10.80.0
 
-    depends_on: 
-      - mariadb
-      - redis
-    build: .
     ports:
       - 443:443
       - 80:80
-    # privileged: true
-    # cap_add:
-    #   - NET_ADMIN
+    privileged: true
+    cap_add:
+      - NET_ADMIN
     volumes:
        - ./docker-data/:/hiddify-data/
     environment:
       REDIS_URI_MAIN: 'redis://:REDIS_STRONG_PASS@redis:6379/0'
       REDIS_URI_SSH: 'redis://:REDIS_STRONG_PASS@redis:6379/1'
       SQLALCHEMY_DATABASE_URI: 'mysql+mysqldb://hiddifypanel:MYSQL_STRONG_PASS@mariadb/hiddifypanel?charset=utf8mb4'
+    depends_on: 
+      - mariadb
+      - redis
 
   mariadb:
     image: mariadb:latest

diff --git a/hiddify-panel/install.sh b/hiddify-panel/install.sh
@@ -3,6 +3,7 @@ activate_python_venv
 install_package wireguard libev-dev libevdev2 default-libmysqlclient-dev build-essential pkg-config ssh-client
 
 useradd -m hiddify-panel -s /bin/bash >/dev/null 2>&1
+usermod -aG hiddify-common hiddify-panel
 
 echo -n "" >> ../log/system/panel.log
 chown hiddify-panel ../log/system/panel.log

diff --git a/other/wireguard/install.sh.j2 b/other/wireguard/install.sh.j2
@@ -5,7 +5,7 @@ install_package wireguard
 
 mkdir /etc/wireguard >/dev/null 2>&1
 
-chmod 600 -R /etc/wireguard/
+chmod 660 -R /etc/wireguard/
 
 SERVER_PUB_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"
 SERVER_WG_IPV4="{{hconfigs["wireguard_ipv4"]}}"

diff --git a/other/wireguard/run.sh.j2 b/other/wireguard/run.sh.j2
@@ -1,7 +1,7 @@
 source ./wg_utils.sh
 
 sed -i '/\[Peer\]/,$d' /etc/wireguard/${SERVER_WG_NIC}.conf
-chmod 600 /etc/wireguard/${SERVER_WG_NIC}.conf
+chmod 660 /etc/wireguard/${SERVER_WG_NIC}.conf
 
 {% for u in users %}
 CLIENT_WG_IPV4=$(add_number_to_ipv4 {{hconfigs["wireguard_ipv4"]}} {{u.id}})

diff --git a/singbox/run.sh b/singbox/run.sh
@@ -1,7 +1,8 @@
 source /opt/hiddify-manager/common/utils.sh
 ln -sf $(pwd)/hiddify-singbox.service /etc/systemd/system/hiddify-singbox.service
 systemctl enable hiddify-singbox.service
-chmod -R 600 configs
+chmod -R 660 configs
+
 # curl -s -x socks://127.0.0.1:3000 http://ip-api.com?fields=message,country,countryCode,city,isp,org,as,query
 
 # sing-box check -C configs