diff --git a/backend/src/routes/updates.rs b/backend/src/routes/updates.rs index de0e6da9..2338c46a 100644 --- a/backend/src/routes/updates.rs +++ b/backend/src/routes/updates.rs @@ -255,7 +255,18 @@ pub async fn install_update( tokio::spawn(async move { tracing::info!("Spawning update process for version {}", version_clone); - match Command::new("sh") + // Check if we're running as root or need sudo + let use_sudo = unsafe { libc::geteuid() } != 0; + + let mut command = if use_sudo { + let mut cmd = Command::new("sudo"); + cmd.arg("bash"); + cmd + } else { + Command::new("bash") + }; + + match command .arg(&script_path_clone) .arg(&version_clone) .stdout(std::process::Stdio::piped()) diff --git a/scripts/install.sh b/scripts/install.sh index 466fc59a..a45f14c3 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -277,6 +277,16 @@ create_service_user() { print_success "Benutzer '$SERVICE_USER' erstellt" fi + # Configure sudo access for update script (passwordless, specific command only) + print_step "Konfiguriere sudo-Zugriff für Updates..." + cat > /etc/sudoers.d/csf-core << EOF +# Allow csf-core user to run update script without password +$SERVICE_USER ALL=(ALL) NOPASSWD: /opt/csf-core/scripts/update.sh +$SERVICE_USER ALL=(ALL) NOPASSWD: /bin/bash /opt/csf-core/scripts/update.sh +EOF + chmod 0440 /etc/sudoers.d/csf-core + print_success "sudo-Zugriff für Updates konfiguriert" + # Add user to docker group if Docker is installed if command -v docker &> /dev/null; then if getent group docker > /dev/null 2>&1; then