From aef5a9be08c6b71cfa08b7f3957334dbaff06e14 Mon Sep 17 00:00:00 2001
From: hiddify-com <114227601+hiddify-com@users.noreply.github.com>
Date: Sat, 16 Nov 2024 17:44:47 +0330
Subject: [PATCH] fix: permissions

---
 .github/workflows/docker.yaml |  2 +-
 common/install.sh             |  3 +++
 docker-compose.yml            | 30 ++++++++++++++++++++----------
 hiddify-panel/install.sh      |  1 +
 other/wireguard/install.sh.j2 |  2 +-
 other/wireguard/run.sh.j2     |  2 +-
 singbox/run.sh                |  3 ++-
 7 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 3a4aba1f0..5eb2b0456 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -72,7 +72,7 @@ jobs:
     needs:
       - make-upload-docker
     env:
-      LATEST: ${{ endsWith(github.ref_name , 'dev') && 'beta' ||'latest'}}
+      LATEST: "${{ github.ref_type == 'tag' && (endsWith(github.ref_name , 'dev') && 'beta' ||'latest') || 'dev' }}"
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4
diff --git a/common/install.sh b/common/install.sh
index aa9716825..aa4c4dfbc 100755
--- a/common/install.sh
+++ b/common/install.sh
@@ -17,6 +17,9 @@ else
     sudo timedatectl set-timezone Asia/Tehran
 fi
 
+groupadd hiddify-common
+usermod -aG hiddify-common root
+
 # rm /run/resolvconf/interface/*
 #echo "nameserver 8.8.8.8" >/etc/resolv.conf
 #echo "nameserver 1.1.1.1" >>/etc/resolv.conf
diff --git a/docker-compose.yml b/docker-compose.yml
index c3d7b0570..581c96ef5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,25 +1,35 @@
-version: '3.8'
-
-
 services:
   hiddify:
+    #only for local build and development
+    #build: .
+
+    #latest release version
+    image: ghcr.io/hiddify/hiddify-manager:latest
+
+    #latest beta version
+    #image: ghcr.io/hiddify/hiddify-manager:beta
+
+    #latest build of current development
+    #image: ghcr.io/hiddify/hiddify-manager:dev
+
+    #specific version
+    #image: ghcr.io/hiddify/hiddify-manager:v10.80.0
 
-    depends_on: 
-      - mariadb
-      - redis
-    build: .
     ports:
       - 443:443
       - 80:80
-    # privileged: true
-    # cap_add:
-    #   - NET_ADMIN
+    privileged: true
+    cap_add:
+      - NET_ADMIN
     volumes:
        - ./docker-data/:/hiddify-data/
     environment:
       REDIS_URI_MAIN: 'redis://:REDIS_STRONG_PASS@redis:6379/0'
       REDIS_URI_SSH: 'redis://:REDIS_STRONG_PASS@redis:6379/1'
       SQLALCHEMY_DATABASE_URI: 'mysql+mysqldb://hiddifypanel:MYSQL_STRONG_PASS@mariadb/hiddifypanel?charset=utf8mb4'
+    depends_on: 
+      - mariadb
+      - redis
     
   mariadb:
     image: mariadb:latest
diff --git a/hiddify-panel/install.sh b/hiddify-panel/install.sh
index 2dadb8d20..9d6b1f777 100755
--- a/hiddify-panel/install.sh
+++ b/hiddify-panel/install.sh
@@ -3,6 +3,7 @@ activate_python_venv
 install_package wireguard libev-dev libevdev2 default-libmysqlclient-dev build-essential pkg-config ssh-client
 
 useradd -m hiddify-panel -s /bin/bash >/dev/null 2>&1
+usermod -aG hiddify-common hiddify-panel
 
 echo -n "" >> ../log/system/panel.log
 chown hiddify-panel ../log/system/panel.log
diff --git a/other/wireguard/install.sh.j2 b/other/wireguard/install.sh.j2
index 391492c60..cbe79d27a 100644
--- a/other/wireguard/install.sh.j2
+++ b/other/wireguard/install.sh.j2
@@ -5,7 +5,7 @@ install_package wireguard
 
 mkdir /etc/wireguard >/dev/null 2>&1
 
-chmod 600 -R /etc/wireguard/
+chmod 660 -R /etc/wireguard/
 
 SERVER_PUB_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"
 SERVER_WG_IPV4="{{hconfigs["wireguard_ipv4"]}}"
diff --git a/other/wireguard/run.sh.j2 b/other/wireguard/run.sh.j2
index e66f60658..abf86d3b4 100644
--- a/other/wireguard/run.sh.j2
+++ b/other/wireguard/run.sh.j2
@@ -1,7 +1,7 @@
 source ./wg_utils.sh
 
 sed -i '/\[Peer\]/,$d' /etc/wireguard/${SERVER_WG_NIC}.conf
-chmod 600 /etc/wireguard/${SERVER_WG_NIC}.conf
+chmod 660 /etc/wireguard/${SERVER_WG_NIC}.conf
 
 {% for u in users %}
 CLIENT_WG_IPV4=$(add_number_to_ipv4 {{hconfigs["wireguard_ipv4"]}} {{u.id}})
diff --git a/singbox/run.sh b/singbox/run.sh
index ee678ce3e..479dc3397 100644
--- a/singbox/run.sh
+++ b/singbox/run.sh
@@ -1,7 +1,8 @@
 source /opt/hiddify-manager/common/utils.sh
 ln -sf $(pwd)/hiddify-singbox.service /etc/systemd/system/hiddify-singbox.service
 systemctl enable hiddify-singbox.service
-chmod -R 600 configs
+chmod -R 660 configs
+
 # curl -s -x socks://127.0.0.1:3000 http://ip-api.com?fields=message,country,countryCode,city,isp,org,as,query
 
 # sing-box check -C configs