Handle more edge cases; more clear warnings

install/production-filesystem/entrypoint.d/10-capabilities-audit.sh

@@ -3,6 +3,9 @@
 #
 # This script runs early to detect missing capabilities that would cause later
 # scripts (like Python-based checks) to fail with "Operation not permitted".
+# This is not for checking excessive capabilities, which is handled in another
+# startup script.
+
 
 RED=$(printf '\033[1;31m')
 YELLOW=$(printf '\033[1;33m')

install/production-filesystem/entrypoint.d/20-first-run-config.sh

@@ -1,6 +1,11 @@
 #!/bin/sh
 # first-run-check.sh - Checks and initializes configuration files on first run
 
+# Fix permissions if config directory exists but is unreadable
+if [ -d "${NETALERTX_CONFIG}" ]; then
+    chmod u+rwX "${NETALERTX_CONFIG}" 2>/dev/null || true
+fi
+chmod u+rw "${NETALERTX_CONFIG}/app.conf" 2>/dev/null || true
 # Check for app.conf and deploy if required
 if [ ! -f "${NETALERTX_CONFIG}/app.conf" ]; then
     mkdir -p "${NETALERTX_CONFIG}" || {

install/production-filesystem/entrypoint.d/25-first-run-db.sh

@@ -2,6 +2,12 @@
 # Ensures the database exists, or creates a new one on first run.
 # Intended to run only at initial startup.
 
+# Fix permissions if DB directory exists but is unreadable
+if [ -d "${NETALERTX_DB}" ]; then
+    chmod u+rwX "${NETALERTX_DB}" 2>/dev/null || true
+fi
+chmod u+rw "${NETALERTX_DB_FILE}" 2>/dev/null || true
+
 set -eu
 
 CYAN=$(printf '\033[1;36m')

install/production-filesystem/entrypoint.d/30-mandatory-folders.sh

@@ -20,6 +20,12 @@ ensure_dir() {
 	# When creating as the user running the services, we ensure correct ownership and access
     path="$1"
     label="$2"
+    # Fix permissions if directory exists but is unreadable/unwritable
+	# It's expected chown is done as root during root-entrypoint, and now we own the files
+	# here we will set correct access.
+    if [ -d "${path}" ]; then
+        chmod u+rwX "${path}" 2>/dev/null || true
+    fi
     if ! mkdir -p "${path}" 2>/dev/null; then
         if is_tmp_path "${path}"; then
             warn_tmp_skip "${path}" "${label}"

install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh

@@ -33,7 +33,7 @@ if [ "$EXTRA" -ne 0 ]; then
 ⚠️  Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX).
 
     Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are 
-	required in this container. Please remove unnecessary capabilities.
+    required in this container. Please remove unnecessary capabilities.
 
     https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md
 ══════════════════════════════════════════════════════════════════════════════