From a3ff5337ee4de4b5d08857f732978dad59426f1e Mon Sep 17 00:00:00 2001 From: Paul Trowbridge Date: Wed, 3 Jun 2026 21:37:18 -0400 Subject: [PATCH] deploy.sh: chown only pipekit.db, not the whole repo Avoids stripping write access from the developer. The service only needs to own pipekit.db (runtime writes) and .venv (created as pipekit). Source code stays owned by whoever ran deploy.sh. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- deploy.sh | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/deploy.sh b/deploy.sh index 8508a97..9d867dd 100755 --- a/deploy.sh +++ b/deploy.sh @@ -80,9 +80,16 @@ fi # ── 3. Ownership ────────────────────────────────────────────────────────────── step "File ownership and permissions" -echo " Setting $REPO_DIR → $SERVICE_NAME:$SERVICE_NAME (group-writable)" -chown -R "$SERVICE_NAME:$SERVICE_NAME" "$REPO_DIR" -chmod -R g+w "$REPO_DIR" +# Only chown what the service needs to write at runtime. +# Source code stays owned by the invoking user. +DB_FILE="$REPO_DIR/pipekit.db" +if [ -f "$DB_FILE" ]; then + echo " $DB_FILE → $SERVICE_NAME" + chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE" +else + echo " $DB_FILE not yet created (pipekit init will create it as $SERVICE_NAME)" +fi +echo " $VENV_DIR → $SERVICE_NAME (created/managed below)" echo " Done." # ── 4. Venv + deps ──────────────────────────────────────────────────────────── @@ -135,6 +142,12 @@ fi # ── 7. Schema init ──────────────────────────────────────────────────────────── step "Database schema" +DB_FILE="$REPO_DIR/pipekit.db" +if [ ! -f "$DB_FILE" ]; then + echo " Creating $DB_FILE owned by $SERVICE_NAME" + touch "$DB_FILE" + chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE" +fi echo " Running pipekit init" sudo -u "$SERVICE_NAME" HOME=/nonexistent "$LAUNCHER" init echo " Done."