adjust tests and allow other users

Author: adamoutler

.devcontainer/Dockerfile

@@ -221,15 +221,17 @@ RUN addgroup -g ${READONLY_GID} "${READ_ONLY_GROUP}" && \
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 004 ${READ_ONLY_FOLDERS} && \
     find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
-    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
-    chown -R ${NETALERTX_USER}:${NETALERTX_GROUP} ${READ_WRITE_FOLDERS} && \
-    chmod -R 600 ${READ_WRITE_FOLDERS} && \
-    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
+    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 0777 ${READ_WRITE_FOLDERS} && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
     chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
-    for dir in ${READ_WRITE_FOLDERS}; do \
-        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
-    done && \
+    # Do not bake first-run artifacts into the image. If present, Docker volume copy-up
+    # will persist restrictive ownership/modes into fresh named volumes, breaking
+    # arbitrary non-root UID/GID runs.
+    rm -f \
+      "${NETALERTX_CONFIG}/app.conf" \
+      "${NETALERTX_DB_FILE}" \
+      "${NETALERTX_DB_FILE}-shm" \
+      "${NETALERTX_DB_FILE}-wal" || true && \
     apk del apk-tools && \
     rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \

Dockerfile

@@ -218,15 +218,17 @@ RUN addgroup -g ${READONLY_GID} "${READ_ONLY_GROUP}" && \
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 004 ${READ_ONLY_FOLDERS} && \
     find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
-    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
-    chown -R ${NETALERTX_USER}:${NETALERTX_GROUP} ${READ_WRITE_FOLDERS} && \
-    chmod -R 600 ${READ_WRITE_FOLDERS} && \
-    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
+    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 0777 ${READ_WRITE_FOLDERS} && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
     chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
-    for dir in ${READ_WRITE_FOLDERS}; do \
-        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
-    done && \
+    # Do not bake first-run artifacts into the image. If present, Docker volume copy-up
+    # will persist restrictive ownership/modes into fresh named volumes, breaking
+    # arbitrary non-root UID/GID runs.
+    rm -f \
+      "${NETALERTX_CONFIG}/app.conf" \
+      "${NETALERTX_DB_FILE}" \
+      "${NETALERTX_DB_FILE}-shm" \
+      "${NETALERTX_DB_FILE}-wal" || true && \
     apk del apk-tools && \
     rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \

front/plugins/plugin_helper.py

@@ -37,7 +37,7 @@ def read_config_file():
 
 
 configFile = read_config_file()
-timeZoneSetting = configFile['TIMEZONE']
+timeZoneSetting = configFile.get('TIMEZONE', default_tz)
 if timeZoneSetting not in all_timezones:
     timeZoneSetting = default_tz
 timeZone = pytz.timezone(timeZoneSetting)

install/production-filesystem/entrypoint.d/10-mounts.py

@@ -1,5 +1,20 @@
 #!/usr/bin/env python3
 
+"""
+Mount Diagnostic Tool
+
+Analyzes container mount points for permission issues, persistence risks, and performance problems.
+
+TODO: Future Enhancements (Roadmap Step 3 & 4)
+1. Text-based Output: Replace emoji status indicators (✅, ❌) with plain text (e.g., [OK], [FAIL])
+   to ensure compatibility with all terminal types and logging systems.
+2. OverlayFS/Copy-up Support: Improve detection logic for filesystems like Synology's OverlayFS
+   where files may appear writable but fail on specific operations (locking, mmap).
+3. Root-to-User Context: Ensure this tool remains accurate when the container starts as root
+   to fix permissions and then drops privileges to the 'netalertx' user. The check should
+   reflect the *effective* permissions of the application user.
+"""
+
 import os
 import sys
 from dataclasses import dataclass
@@ -80,7 +95,21 @@ def _resolve_writeable_state(target_path: str) -> bool:
         seen.add(current)
 
         if os.path.exists(current):
-            return os.access(current, os.W_OK)
+            if not os.access(current, os.W_OK):
+                return False
+            
+            # OverlayFS/Copy-up check: Try to actually write a file to verify
+            if os.path.isdir(current):
+                test_file = os.path.join(current, f".netalertx_write_test_{os.getpid()}")
+                try:
+                    with open(test_file, "w") as f:
+                        f.write("test")
+                    os.remove(test_file)
+                    return True
+                except OSError:
+                    return False
+            
+            return True
 
         parent_dir = os.path.dirname(current)
         if not parent_dir or parent_dir == current:

install/production-filesystem/entrypoint.d/15-first-run-config.sh

@@ -7,7 +7,7 @@ if [ ! -f "${NETALERTX_CONFIG}/app.conf" ]; then
         >&2 echo "ERROR: Failed to create config directory ${NETALERTX_CONFIG}"
         exit 1
     }
-    install -m 600 -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} /app/back/app.conf "${NETALERTX_CONFIG}/app.conf" || {
+    install -m 600 /app/back/app.conf "${NETALERTX_CONFIG}/app.conf" || {
         >&2 echo "ERROR: Failed to deploy default config to ${NETALERTX_CONFIG}/app.conf"
         exit 2
     }

install/production-filesystem/entrypoint.d/30-apply-conf-override.sh

@@ -13,9 +13,7 @@ mkdir -p "$(dirname "$NETALERTX_CONFIG")" || {
 rm -f "$OVERRIDE_FILE"
 
 # Check if APP_CONF_OVERRIDE is set
-if [ -z "$APP_CONF_OVERRIDE" ]; then
-    >&2 echo "APP_CONF_OVERRIDE is not set. Skipping override config file creation."
-else
+if [ -n "$APP_CONF_OVERRIDE" ]; then
     # Save the APP_CONF_OVERRIDE env variable as a JSON file
     echo "$APP_CONF_OVERRIDE" > "$OVERRIDE_FILE" || {
         >&2 echo "ERROR: Failed to write override config to $OVERRIDE_FILE"

install/production-filesystem/entrypoint.sh

@@ -50,8 +50,7 @@ fi
 RED='\033[1;31m'
 GREY='\033[90m'
 RESET='\033[0m'
-printf "%s" "${RED}"
-echo '
+NAX='
  _   _      _    ___  _           _  __   __
 | \ | |    | |  / _ \| |         | | \ \ / /
 |  \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / 
@@ -60,13 +59,12 @@ echo '
 \_| \_/\___|\__\_| |_/_|\___|_|   \__\/   \/
 '
 
-printf "%s" "${RESET}"
+printf "%b%s%b" "${RED}" "${NAX}" "${RESET}"
 echo '   Network intruder and presence detector. 
    https://netalertx.com
 
 '
 set -u
-
 FAILED_STATUS=""
 echo "Startup pre-checks"
 for script in "${ENTRYPOINT_CHECKS}"/*; do
@@ -123,7 +121,6 @@ fi
 # Set APP_CONF_OVERRIDE based on GRAPHQL_PORT if not already set
 if [ -n "${GRAPHQL_PORT:-}" ] && [ -z "${APP_CONF_OVERRIDE:-}" ]; then
     export APP_CONF_OVERRIDE='{"GRAPHQL_PORT":"'"${GRAPHQL_PORT}"'"}'
-    echo "Setting APP_CONF_OVERRIDE to $APP_CONF_OVERRIDE"
 fi
 
 
@@ -283,15 +280,6 @@ add_service "${SYSTEM_SERVICES}/start-php-fpm.sh" "php-fpm83"
 add_service "${SYSTEM_SERVICES}/start-nginx.sh" "nginx"
 add_service "${SYSTEM_SERVICES}/start-backend.sh" "python3"
 
-################################################################################
-# Development Mode Debug Switch
-################################################################################
-# If NETALERTX_DEBUG=1, skip automatic service restart on failure
-# Useful for devcontainer debugging where individual services need to be debugged
-if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then
-	echo "NETALERTX_DEBUG is set to 1, will not shut down other services if one fails."
-fi
-
 ################################################################################
 # Service Monitoring Loop (Production Mode)
 ################################################################################

test/docker_tests/debug_storage_permission.sh

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+# 0-storage-permission.sh: Fix permissions if running as root.
+#
+# This script checks if running as root and fixes ownership and permissions
+# for read-write paths to ensure proper operation.
+
+# --- Color Codes ---
+MAGENTA=$(printf '\033[1;35m')
+RESET=$(printf '\033[0m')
+
+# --- Main Logic ---
+
+# Define paths that need read-write access
+READ_WRITE_PATHS="
+${NETALERTX_DATA}
+${NETALERTX_DB}
+${NETALERTX_API}
+${NETALERTX_LOG}
+${SYSTEM_SERVICES_RUN}
+${NETALERTX_CONFIG}
+${NETALERTX_CONFIG_FILE}
+${NETALERTX_DB_FILE}
+"
+
+TARGET_USER="${NETALERTX_USER:-netalertx}"
+
+# If running as root, fix permissions first
+if [ "$(id -u)" -eq 0 ]; then
+    >&2 printf "%s" "${MAGENTA}"
+    >&2 cat <<'EOF'
+══════════════════════════════════════════════════════════════════════════════
+🚨 CRITICAL SECURITY ALERT: NetAlertX is running as ROOT (UID 0)! 🚨
+
+    This configuration bypasses all built-in security hardening measures.
+    You've granted a network monitoring application unrestricted access to
+    your host system. A successful compromise here could jeopardize your
+    entire infrastructure.
+
+    IMMEDIATE ACTION REQUIRED: Switch to the dedicated 'netalertx' user:
+      * Remove any 'user:' directive specifying UID 0 from docker-compose.yml or
+      * switch to the default USER in the image (20211:20211)
+
+    IMPORTANT: This corrective mode automatically adjusts ownership of
+    /data/db and /data/config directories to the netalertx user, ensuring
+    proper operation in subsequent runs.
+
+    Remember: Never operate security-critical tools as root unless you're 
+    actively trying to get pwned.
+
+    https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/running-as-root.md
+══════════════════════════════════════════════════════════════════════════════
+EOF
+    >&2 printf "%s" "${RESET}"
+
+    # Set ownership and permissions for each read-write path individually
+    printf '%s\n' "${READ_WRITE_PATHS}" | while IFS= read -r path; do
+        [ -n "${path}" ] || continue
+        echo "DEBUG: Processing $path"
+        chown -v -R "${TARGET_USER}" "${path}" || echo "DEBUG: chown failed for $path"
+        find "${path}" -type d -exec chmod -v u+rwx {} \;
+        find "${path}" -type f -exec chmod -v u+rw {} \;
+    done
+    echo Permissions fixed for read-write paths. Please restart the container as user ${TARGET_USER}.
+    sleep infinity & wait $!
+fi