fix: ensure proper directory ownership for CA certificate storage

When running under sudo, the config directory was created by root but
the subprocess runs as the original user, causing permission issues.

Now the directory ownership is changed to the original user after
creation, ensuring the subprocess can access certificate files.

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

tls/tls.go

@@ -14,6 +14,7 @@ import (
 	"os"
 	"os/user"
 	"path/filepath"
+	"strconv"
 	"sync"
 	"time"
 )
@@ -142,6 +143,22 @@ func (cm *CertificateManager) generateCA(keyPath, certPath string) error {
 		return fmt.Errorf("failed to create config directory: %v", err)
 	}
 
+	// When running under sudo, ensure the directory is owned by the original user
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
+			if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
+				uid, err1 := strconv.Atoi(sudoUID)
+				gid, err2 := strconv.Atoi(sudoGID)
+				if err1 == nil && err2 == nil {
+					// Change ownership of the config directory to the original user
+					if err := os.Chown(cm.configDir, uid, gid); err != nil {
+						cm.logger.Warn("Failed to change config directory ownership", "error", err)
+					}
+				}
+			}
+		}
+	}
+
 	// Generate private key
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {