Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/8/25 10:47, Alyssa Ross wrote:
>> This assumed it would be run as root, so has been broken since we
>> stopped running application scripts as root inside img/app VMs.
>> 
>> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
>> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
>> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  vm/app/systemd-sysupdate/download-update | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>> index eada41c..335e389 100755
>> --- a/vm/app/systemd-sysupdate/download-update
>> +++ b/vm/app/systemd-sysupdate/download-update
>> @@ -3,6 +3,7 @@
>>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>  export LC_ALL C
>>  export LANGUAGE C
>> +unshare -rUm
>
> -r implies -U, and it would be more readable to use the long forms
> of these options.
>

And yet mount -o and -t, and mktemp -d?  (I can change it, but I have a
general preference for short options to stop lines getting too long, and
for portability when necessary.)

>>  if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
>>  backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
>>  # Not a useless use of cat: if there are NUL bytes in the URL