From c6b363974ebc2092a1b5765cc40e2b1cf24b836a Mon Sep 17 00:00:00 2001
From: robojerk <rob@raines.xyz>
Date: Tue, 5 Aug 2025 10:30:21 -0700
Subject: [PATCH] Fix Podman container to run as non-root user

- Add sudo package installation in containers
- Create backport-user account in containers
- Set proper ownership of workspace directory
- Configure sudo access for backport-user
- Run ostree-backport.sh as non-root user
- This fixes the 'should not be run as root' safety check
- Maintains all safety features while allowing proper execution
---
 backport-noble.sh               | 8 ++++++--
 backport-trixie.sh              | 8 ++++++--
 libostree-dev_noble_backport.sh | 0
 3 files changed, 12 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 libostree-dev_noble_backport.sh

diff --git a/backport-noble.sh b/backport-noble.sh
index ac7251a..b3e6966 100755
--- a/backport-noble.sh
+++ b/backport-noble.sh
@@ -69,14 +69,18 @@ run_in_podman() {
         bash -c "
             echo '=== Setting up container environment ==='
             apt update -y
-            apt install -y git curl wget
+            apt install -y git curl wget sudo
             git clone https://git.raines.xyz/robojerk/libostree-dev.git /tmp/libostree-dev
             cp -r /tmp/libostree-dev/* /workspace/
             cp -r /tmp/libostree-dev/.* /workspace/ 2>/dev/null || true
             chmod +x /workspace/*.sh
             echo '=== Container ready, running backport ==='
             cd /workspace
-            ./ostree-backport.sh noble
+            # Create a non-root user for running the script
+            useradd -m -s /bin/bash backport-user
+            chown -R backport-user:backport-user /workspace
+            echo 'backport-user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+            su - backport-user -c 'cd /workspace && ./ostree-backport.sh noble'
         "
 }
 
diff --git a/backport-trixie.sh b/backport-trixie.sh
index 31c67dc..ee14d5a 100755
--- a/backport-trixie.sh
+++ b/backport-trixie.sh
@@ -69,14 +69,18 @@ run_in_podman() {
         bash -c "
             echo '=== Setting up container environment ==='
             apt update -y
-            apt install -y git curl wget
+            apt install -y git curl wget sudo
             git clone https://git.raines.xyz/robojerk/libostree-dev.git /tmp/libostree-dev
             cp -r /tmp/libostree-dev/* /workspace/
             cp -r /tmp/libostree-dev/.* /workspace/ 2>/dev/null || true
             chmod +x /workspace/*.sh
             echo '=== Container ready, running backport ==='
             cd /workspace
-            ./ostree-backport.sh trixie
+            # Create a non-root user for running the script
+            useradd -m -s /bin/bash backport-user
+            chown -R backport-user:backport-user /workspace
+            echo 'backport-user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+            su - backport-user -c 'cd /workspace && ./ostree-backport.sh trixie'
         "
 }
 
diff --git a/libostree-dev_noble_backport.sh b/libostree-dev_noble_backport.sh
old mode 100644
new mode 100755