Skip to content

fix(install): ensure .openclaw-data ownership for sandbox user (fixes #692) #1089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kagura-agent wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(install): ensure .openclaw-data ownership for sandbox user (fixes #692) #1089

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
54ec466
fix(install): ensure .openclaw-data ownership for sandbox user (fixes…
kagura-agent Mar 30, 2026
85bcc69
fix(install): ensure parent dir exists before identity symlink
kagura-agent Mar 30, 2026
1cc6be5
fix: deep ownership scan and robust identity symlink repair
kagura-agent Mar 30, 2026
b33ca5d
Merge branch 'main' into fix/692-identity-dir-permissions-v2
cv Mar 30, 2026
666e226
Merge branch 'main' into fix/692-identity-dir-permissions-v2
cv Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions scripts/nemoclaw-start.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,45 @@ if [ "$(id -u)" -ne 0 ]; then
echo "[SECURITY] Config integrity check failed — refusing to start (non-root mode)"
exit 1
fi

# Ensure writable state directories exist and are owned by the current user.
# The Docker build (Dockerfile) sets this up correctly, but the native curl
# installer may create these directories as root, causing EACCES when openclaw
# tries to write device-auth.json or other state files. Ref: #692
fix_openclaw_data_ownership() {
local data_dir="${HOME}/.openclaw-data"
local openclaw_dir="${HOME}/.openclaw"
[ -d "$data_dir" ] || return 0
local subdirs="agents/main/agent extensions workspace skills hooks identity devices canvas cron"
for sub in $subdirs; do
mkdir -p "${data_dir}/${sub}" 2>/dev/null || true
done
if find "$data_dir" ! -uid "$(id -u)" -print -quit 2>/dev/null | grep -q .; then
if chown -R "$(id -u):$(id -g)" "$data_dir" 2>/dev/null; then
echo "[setup] fixed ownership on ${data_dir}"
else
echo "[setup] could not fix ownership on ${data_dir}; writes may fail" >&2
fi
fi
if [ -d "${data_dir}/identity" ]; then
mkdir -p "${openclaw_dir}" 2>/dev/null || true
if [ -L "${openclaw_dir}/identity" ]; then
local current_target expected_target
current_target="$(readlink -f "${openclaw_dir}/identity" 2>/dev/null || true)"
expected_target="$(readlink -f "${data_dir}/identity" 2>/dev/null || true)"
if [ "$current_target" != "$expected_target" ]; then
ln -snf "${data_dir}/identity" "${openclaw_dir}/identity" 2>/dev/null || true
echo "[setup] repaired identity symlink"
fi
elif [ ! -e "${openclaw_dir}/identity" ]; then
ln -snf "${data_dir}/identity" "${openclaw_dir}/identity" 2>/dev/null || true
echo "[setup] created identity symlink"
else
echo "[setup] ${openclaw_dir}/identity exists and is not a symlink; leaving as-is" >&2
fi
fi
}
fix_openclaw_data_ownership
write_auth_profile

if [ ${#NEMOCLAW_CMD[@]} -gt 0 ]; then
Expand Down