From 9aa2438e756e58103e773dc633c5b8ab12153453 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 21 Jun 2026 17:45:36 +0000 Subject: [PATCH] workstation: run wire-memory-hooks as root, not runuser (fix non-admin wiring) install_memory ran the JSON-merge helper via 'runuser -u $user', but the helper lives under the admin's mode-700 home ($WORKSTATION_DIR) which non-admin users can't traverse -> wiring silently failed for emo/anca (hooks copied but never wired into settings.json). Run the helper as root (it reads both the repo helper and the user's home) and chown the result back to the user. Verified by the live all-users rollout: emo + anca now wired correctly. Co-Authored-By: Claude Opus 4.8 --- scripts/t3-provision-users.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/t3-provision-users.sh b/scripts/t3-provision-users.sh index eadbe759..6164235d 100644 --- a/scripts/t3-provision-users.sh +++ b/scripts/t3-provision-users.sh @@ -404,9 +404,12 @@ install_memory() { install -o "$user" -g "$user" -m 0755 "$src/$h" "$hooks_dst/$h" done - # (2) wire the hooks in settings.json (AS the user -> correct ownership), if-absent + additive; + # (2) wire the hooks in settings.json, if-absent + additive. Run the helper as ROOT: + # it must read $src under the admin's hardened home (mode 700), which a + # runuser-as-$user CANNOT traverse — so chown the result back to the user and # enforce 0600 (it holds the per-user MEMORY_API_KEY). - if runuser -u "$user" -- python3 "$src/wire-memory-hooks.py" "$home" >/dev/null 2>&1; then + if python3 "$src/wire-memory-hooks.py" "$home" >/dev/null 2>&1; then + [[ -f "$settings" ]] && chown "$user:$user" "$settings" 2>/dev/null || true log "memory hooks wired -> $user" else log "WARN: memory hook wiring failed for $user (retries next reconcile)" -- 2.49.1