www/caddy: fix setup.sh script not setting correct ownership in www user mode (#4976)

* www/caddy: Streamline setup.sh, since chown is skipped automatically when ownership matches * add changelog
2026-02-03 20:40:37 -05:00 · 2025-10-11 14:02:48 +02:00 · 2025-10-11 14:02:48 +02:00 · e19e3c94f6
commit e19e3c94f6
parent 27bd359a36
2 changed files with 15 additions and 30 deletions
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@ -10,6 +10,7 @@ Plugin Changelog

 Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
 Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
+Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)

 2.0.3

--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@ -31,10 +31,6 @@
 CADDY_USER="${caddy_user:-root}"
 CADDY_GROUP="${caddy_group:-wheel}"

-# Canary to detect root->www switch (disable superuser) permission issues
-# The storage instance will always exist, it's a good assumption
-CANARY="/var/db/caddy/data/caddy/instance.uuid"
-
 # Define directories
 CADDY_CONF_DIR="/usr/local/etc/caddy"
 CADDY_DATA_DIR="/var/db/caddy"
@ -43,35 +39,23 @@ CADDY_CONF_CUSTOM_DIR="${CADDY_CONF_DIR}/caddy.d"
 CADDY_CONF_CERT_DIR="${CADDY_CONF_DIR}/certificates"
 CADDY_LOG_CUSTOM_DIR="${CADDY_LOG_DIR}/access"

-mkdir -p "${CADDY_CONF_DIR}" \
-         "${CADDY_DATA_DIR}" \
-         "${CADDY_LOG_DIR}" \
-         "${CADDY_CONF_CUSTOM_DIR}" \
-         "${CADDY_CONF_CERT_DIR}" \
-         "${CADDY_LOG_CUSTOM_DIR}"
+# Group the main directories
+CADDY_DIRS="
+${CADDY_CONF_DIR}
+${CADDY_DATA_DIR}
+${CADDY_LOG_DIR}
+${CADDY_CONF_CERT_DIR}
+${CADDY_CONF_CUSTOM_DIR}
+${CADDY_LOG_CUSTOM_DIR}
+"
+
+# No inode changes occur when directory already exists or permissions are correct.
+# Always running these when caddy starts guarantees correct ownership with minimal read and writes.
+mkdir -p ${CADDY_DIRS}
+chown -R "${CADDY_USER}:${CADDY_GROUP}" ${CADDY_DIRS}

 # Format and overwrite the Caddyfile
 ( cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite )

 # Write custom certs from the OPNsense Trust Store
 /usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
-
-# Ownership decision based on current service user/group, otherwise skip
-EXPECTED_USER="$CADDY_USER"
-EXPECTED_GROUP="$CADDY_GROUP"
-
-if [ -f "$CANARY" ]; then
-    CANARY_USER="$(stat -f '%Su' "$CANARY")"
-    CANARY_GROUP="$(stat -f '%Sg' "$CANARY")"
-
-    if [ "$CANARY_USER" = "$EXPECTED_USER" -a "$CANARY_GROUP" = "$EXPECTED_GROUP" ]; then
-        exit 0
-    fi
-fi
-
-# Use detected service user/group, only migrate ownership
-# We only interact with the storage in this specific edge case, in all other cases caddy must have atomic write guarantee
-chown -R "${CADDY_USER}:${CADDY_GROUP}" "${CADDY_CONF_DIR}" \
-                                        "${CADDY_DATA_DIR}" \
-                                        "${CADDY_LOG_DIR}" \
-                                        "${CADDY_CONF_CERT_DIR}"