fix: chown log files to sudo-invoking user so non-root API can append

'sudo decnet deploy' needs root for MACVLAN, but the log files it creates (decnet.log and decnet.system.log) end up owned by root. A subsequent non-root 'decnet api' then crashes on PermissionError appending to them. New decnet.privdrop helper reads SUDO_UID/SUDO_GID and chowns files/dirs back to the invoking user. Best-effort: no-op when not root, not under sudo, path missing, or chown fails. Applied at both log-file creation sites (config.py system log, logging/file_handler.py syslog file).
2026-04-17 13:39:09 -04:00
parent 140d2fbaad
commit 4b15b7eb35
4 changed files with 189 additions and 0 deletions
--- a/decnet/config.py
+++ b/decnet/config.py
@@ -91,6 +91,10 @@ def _configure_logging(dev: bool) -> None:
        )
        file_handler.setFormatter(fmt)
        root.addHandler(file_handler)
+        # Drop root ownership when invoked via sudo so non-root follow-up
+        # commands (e.g. `decnet api` after `sudo decnet deploy`) can append.
+        from decnet.privdrop import chown_to_invoking_user
+        chown_to_invoking_user(_log_path)


 _dev = os.environ.get("DECNET_DEVELOPER", "").lower() == "true"