openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-22 03:54:34 +04:00
Code Issues Packages Projects Releases Wiki Activity
Files
b207db0caa4cf13dec45b095b34eb11ab036eff7
packages/net/adguardhome/files/adguardhome.defaults
George Sapkin 754a9908f4 adguardhome: run as an unprivileged user 
Run AdGuard Home without superuser privileges, by granting the binary
capabilities through ujail.

AdGuard Home writes new config files, so it must have r/w access to the
directory where these files live. Which means existing configs must be
migrated to a new directory, /etc/adguardhome, by default.

CAP_NET_BIND_SERVICE and CAP_NET_RAW capabilities are based on the
official documentation linked below.

Link: https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#running-without-superuser-linux-only
Signed-off-by: George Sapkin <george@sapk.in>
2025-08-06 21:49:54 +08:00

94 lines
2.9 KiB
Bash
Raw Blame History

#!/bin/sh
OLD_CONFIG_FILE=$(uci -q get adguardhome.config.config)
OLD_CONFIG_FILE=${OLD_CONFIG_FILE:-/etc/adguardhome.yaml}
NEW_CONFIG_DIR=/etc/adguardhome
NEW_CONFIG_FILE="$NEW_CONFIG_DIR/adguardhome.yaml"
start_service() {
if ! /etc/init.d/adguardhome running; then
/etc/init.d/adguardhome start
fi
}
stop_service() {
if /etc/init.d/adguardhome running; then
/etc/init.d/adguardhome stop
fi
}
if [ -f "$OLD_CONFIG_FILE" ] && [ "$OLD_CONFIG_FILE" != "$NEW_CONFIG_FILE" ]; then
echo "Old AdGuard Home config found in '$OLD_CONFIG_FILE'"
OLD_CONFIG_DIR=$(dirname "$OLD_CONFIG_FILE")
USER=$(uci -q get adguardhome.config.user)
USER=${USER:-adguardhome}
GROUP=$(uci -q get adguardhome.config.group)
GROUP=${GROUP:-adguardhome}
echo "Using $USER:$GROUP for file ownership."
CUR_CONFIG_FILE="$OLD_CONFIG_FILE"
if [ "$OLD_CONFIG_DIR" = "/etc" ]; then
echo "AdGuard Home config must be stored in its own directory. Migrating..."
stop_service
[ -d "$NEW_CONFIG_DIR" ] || mkdir -m 0700 -p "$NEW_CONFIG_DIR"
mv "$OLD_CONFIG_FILE" "$NEW_CONFIG_FILE"
chown -R "$USER":"$GROUP" "$NEW_CONFIG_DIR"
CUR_CONFIG_FILE="$NEW_CONFIG_FILE"
uci set adguardhome.config.config="$NEW_CONFIG_FILE"
echo "Config migrated to '$NEW_CONFIG_FILE'"
elif [ "$OLD_CONFIG_DIR" != "$NEW_CONFIG_DIR" ]; then
echo "AdGuard Home config is stored in a non-default path. " \
+ "Ensure configured service user '$USER' can access it."
fi
# Use awk to split match on :, remove double quotes and trim leading and
# trailing spaces
cert_path=$(grep certificate_path: "$CUR_CONFIG_FILE" \
| awk -F':' '{gsub(/"/, "", $2); gsub(/^ +| +$/, "", $2); print $2}')
if [ -n "$cert_path" ]; then
echo "Found custom 'certificate_path' pointing to '$cert_path'." \
+ "Ensure configured service user '$USER' can access it."
stop_service
if ! uci -q show adguardhome.config.jail_mount | grep -q "$cert_path"; then
uci add_list adguardhome.config.jail_mount="$cert_path"
fi
fi
private_key_path=$(grep private_key_path: "$CUR_CONFIG_FILE" \
| awk -F':' '{gsub(/"/, "", $2); gsub(/^ +| +$/, "", $2); print $2}')
if [ -n "$private_key_path" ]; then
echo "Found custom 'private_key_path' pointing to '$private_key_path'." \
+ "Ensure configured service user '$USER' can access it."
stop_service
if ! uci -q show adguardhome.config.jail_mount | grep -q "$private_key_path"; then
uci add_list adguardhome.config.jail_mount="$private_key_path"
fi
fi
uci commit adguardhome
start_service
elif [ "$OLD_CONFIG_FILE" != "$NEW_CONFIG_FILE" ]; then
echo "Old AdGuard Home config not found in '$OLD_CONFIG_FILE'"
stop_service
# Service script will create the new config directory
uci set adguardhome.config.config="$NEW_CONFIG_FILE"
echo "Config path changed to '$NEW_CONFIG_FILE'"
uci commit adguardhome
start_service
else
echo "AdGuard Home config is in its default path '$NEW_CONFIG_FILE'. Nothing to do."
fi
Reference in New Issue View Git Blame Copy Permalink