2026-06-30 01:16:35 +00:00
70 changed files with 123 additions and 192 deletions
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@ -3,29 +3,6 @@
 ---
 ## 2026-06-18 — #623 systemic shared-parent clobber resolved at source (PR #648)
 - **Root cause corrected.** The recurring `/var/{lib,log,cache,…}/secubox` parent
  clobber was NOT the `install -d -m 0750 /parent/leaf` leaf form (empirically
  proven harmless: GNU `install -d -m` modes only the final component). It was the
  scaffold boilerplate `install -d -m 750 /var/lib/secubox` + `/run/secubox` (BARE
  parents) in ~56 module postinsts — written `-m 750` (3-digit), which is why prior
  greps/sweeps (#511/#627/#631) missed it.
 - **Source-wide fix.** Scripted rewrite of all bare-parent targets → `/run/secubox`
  1777 root:root, `/var/lib|log|cache|etc|usr/share/secubox` 0755; 6 multi-arg
  lines split per-parent (4 were setting `/var/lib/secubox` world-writable 1777 —
  a security regression); 3 `chmod 750 /var/log/secubox` (soc-gateway/soc-agent/
  ui-manager) → 0755. Module-private leaves (`/var/lib/secubox/<mod>` 0750) left
  untouched. Scaffold `new-package.sh` + `.claude/PATTERNS.md` fixed so new
  packages don't reintroduce it. secubox-core 1.1.8 tmpfiles.d now declares all 5
  shared parents at 0755 (mode-only) for boot/install-time self-heal.
 - **Verified:** all 64 changed maintainer scripts `bash -n` clean; zero bare-parent
  restrictive lines remain (install-d + chmod forms); saas-relay + core rebuilt and
  packaged postinst/tmpfiles confirmed. Two-stage review (found + closed 2 gaps:
  the chmod-form clobbers + tmpfiles coverage). NOT mass-deployed (60-pkg restart =
  thundering-herd risk); live covered by `secubox-dirs-guard.timer`; lands at next
  CI image build / reflash.
 ## 2026-06-18 — perf sprint (hub latency, R3 tunnel encoding) + crowdsec unblock
 - **Hub dashboard latency (#644, PR #645, hub `1.4.6`).** The hub runs mounted in
--- a/.claude/PATTERNS.md
+++ b/.claude/PATTERNS.md
@ -383,13 +383,9 @@ case "$1" in
      adduser --system --group --no-create-home --home /var/lib/secubox secubox
    fi
-    # Répertoires runtime — SHARED parents, NE JAMAIS les passer en 0750/0700
+    # Répertoires runtime
-    # (#623 : casse la traversée pour les daemons non-secubox → kbin/toolbox 500).
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    # /run/secubox reste 1777 (sticky world-writable, sockets de tous les services,
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # #471) ; /var/lib/secubox reste 0755. Les leaves privées
    # (/var/lib/secubox/<module>) peuvent être 0750.
    install -d -o root -g root -m 1777 /run/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    # Activer et démarrer le service
    systemctl daemon-reload
--- a/.claude/WIP.md
+++ b/.claude/WIP.md
@ -22,20 +22,13 @@ Tout mergé sur master + déployé sur gk2. Détail dans HISTORY 2026-06-18.
  CSP-strict tirées décompressées via le worker R3 GIL-bound. **toolbox 2.6.53**.
 - ✅ **crowdsec** réparé (403 transitoire CDN → `dpkg --configure` RC=0, audit clean).
 - ✅ **#623 (PR #648, merged 9950e9ec)** — clobber systémique RÉSOLU au source.
  La vraie cause : boilerplate scaffold `install -d -m 750 /var/lib/secubox` +
  `/run/secubox` (parents NUS) dans ~56 postinsts — écrit `-m 750` (3 chiffres),
  d'où le ratage des sweeps précédents. Empiriquement prouvé que le form
  `install -d -m 750 /parent/leaf` NE clobbe PAS le parent (seuls les targets
  parents-nus). Fix : tous → 1777 (/run) / 0755 ; 6 lignes multi-arg splittées
  (4 mettaient /var/lib en world-writable 1777) ; 3 `chmod 750 /var/log` ;
  scaffold `new-package.sh` + `PATTERNS.md` ; core 1.1.8 tmpfiles.d déclare les 5
  parents 0755. **PAS de mass-deploy** (60 paquets = mass-restart = risque
  thundering-herd) ; live couvert par `dirs-guard.timer` ; arrive au prochain
  build CI / reflash.
 ### ⬜ Next Up
 - **#623 (P0 bug)** — clobber systémique des modes parents `/var/{lib,log,cache}/
  secubox` sur ~12 paquets (postinsts `install -d -m 0750` multi-arg que le sweep
  #623 a manqués). Couvert par `secubox-dirs-guard.timer` mais la cause-racine
  reste ouverte paquet par paquet → casse la traversée non-`secubox` (kbin/toolbox
  500). **Prochain actionnable propre** (PR bornée).
 - **Anti-Track v2 ARMING** (décision USER, gated) — soak observe-only puis flip
  `privacy_enforce=true` ; régénérer `data/cdn-allowlist.txt` depuis les plages
  publiques avant `privacy_ip_drop` ; `unbound-checkconf` avant `privacy_dns_feed`.
--- a/packages/secubox-admin/debian/postinst
+++ b/packages/secubox-admin/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/admin
    install -d -o root -g secubox -m 0755 /var/log/secubox
    systemctl daemon-reload
--- a/packages/secubox-ai-insights/debian/postinst
+++ b/packages/secubox-ai-insights/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/ai-insights
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/ai-insights/models
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/ai-insights
--- a/packages/secubox-auth/debian/postinst
+++ b/packages/secubox-auth/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-auth.service
    systemctl start  secubox-auth.service || true
--- a/packages/secubox-authelia/debian/postinst
+++ b/packages/secubox-authelia/debian/postinst
@ -9,7 +9,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/authelia
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-avatar/debian/postinst
+++ b/packages/secubox-avatar/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/avatar
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/avatar/images
    systemctl daemon-reload
--- a/packages/secubox-cdn/debian/postinst
+++ b/packages/secubox-cdn/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-cdn.service
    systemctl start  secubox-cdn.service || true
--- a/packages/secubox-certs/debian/postinst
+++ b/packages/secubox-certs/debian/postinst
@ -1,8 +1,7 @@
 #!/bin/sh
 set -e
 if [ "$1" = "configure" ]; then
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -m 0755 /run/secubox /var/cache/secubox/certs
    install -d -m 0755 /var/cache/secubox/certs
    systemctl daemon-reload || true
    systemctl enable --now secubox-certs.service || true
 fi
--- a/packages/secubox-core/debian/changelog
+++ b/packages/secubox-core/debian/changelog
@ -1,15 +1,3 @@
 secubox-core (1.1.8-1~bookworm1) bookworm; urgency=medium
  * fix(#623): tmpfiles.d now declares all shared secubox parents
    (/var/lib, /var/log, /var/cache, /etc, /usr/share /secubox) at 0755
    (mode-only, owner-agnostic), in addition to /run/secubox 1777 — boot +
    install-time defense-in-depth that self-heals a momentary 0750 clobber
    before the next secubox-dirs-guard.timer tick. Pairs with the source-wide
    postinst sweep that stopped ~56 module postinsts from clobbering those
    parents.
 -- Gerald Kerma <devel@cybermind.fr>  Thu, 18 Jun 2026 13:00:00 +0200
 secubox-core (1.1.7-1~bookworm1) bookworm; urgency=medium
  * fix(postinst): /var/lib/secubox + /usr/share/secubox/www were set 0750,
--- a/packages/secubox-core/tmpfiles.d/secubox.conf
+++ b/packages/secubox-core/tmpfiles.d/secubox.conf
@ -1,11 +1 @@
 d /run/secubox 1777 root root -
 # #623 — defense-in-depth: guarantee the SHARED secubox parents stay traversable
 # (0755) at boot and on every `systemd-tmpfiles --create`, so if a module postinst
 # momentarily re-clobbers one to 0750 it self-heals before the next
 # secubox-dirs-guard.timer tick. Mode-only (owner `-`) to mirror the owner-agnostic
 # dirs-guard and never fight secubox-core's / a module's own ownership.
 d /var/lib/secubox 0755 - - -
 d /var/log/secubox 0755 - - -
 d /var/cache/secubox 0755 - - -
 d /etc/secubox 0755 - - -
 d /usr/share/secubox 0755 - - -
--- a/packages/secubox-crowdsec/debian/postinst
+++ b/packages/secubox-crowdsec/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-crowdsec.service
    systemctl start  secubox-crowdsec.service || true
--- a/packages/secubox-domoticz/debian/postinst
+++ b/packages/secubox-domoticz/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directories
    install -d -m 755 /srv/domoticz
    install -d -m 755 /srv/domoticz/config
--- a/packages/secubox-dpi/debian/postinst
+++ b/packages/secubox-dpi/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-dpi.service
    systemctl start  secubox-dpi.service || true
--- a/packages/secubox-droplet/debian/postinst
+++ b/packages/secubox-droplet/debian/postinst
@ -8,8 +8,8 @@ case "$1" in
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /srv/droplet
    # Enable and start service
--- a/packages/secubox-fmrelay/debian/postinst
+++ b/packages/secubox-fmrelay/debian/postinst
@ -13,7 +13,7 @@ case "$1" in
        # the device with).
        usermod -aG plugdev secubox 2>/dev/null || true
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root    -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/fmrelay
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-glances/debian/postinst
+++ b/packages/secubox-glances/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/glances
    systemctl daemon-reload
    systemctl enable secubox-glances.service
--- a/packages/secubox-gotosocial/debian/postinst
+++ b/packages/secubox-gotosocial/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directory for GoToSocial
    install -d -o root -g root -m 755 /srv/gotosocial
    install -d -o root -g root -m 755 /srv/gotosocial/storage
--- a/packages/secubox-grafana/debian/postinst
+++ b/packages/secubox-grafana/debian/postinst
@ -9,7 +9,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/grafana
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-haproxy/debian/postinst
+++ b/packages/secubox-haproxy/debian/postinst
@ -7,8 +7,7 @@ case "$1" in
    # Shared parents stay 0755 (traversable by every secubox-* daemon — setting
    # them 0750 here broke kbin/toolbox by blocking traversal, #626). Only the
    # haproxy-private leaves are restricted.
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 755 /run/secubox /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/haproxy /var/lib/secubox/haproxy/config_backups
    chmod 0755 /var/lib/secubox /run/secubox 2>/dev/null || true
    # Create /etc/haproxy if not present (haproxy is Recommends, not Depends)
--- a/packages/secubox-health-doctor/debian/postinst
+++ b/packages/secubox-health-doctor/debian/postinst
@ -3,7 +3,7 @@ set -e
 case "$1" in
  configure)
-    install -d -o secubox -g secubox -m 755 /var/cache/secubox
+    install -d -o secubox -g secubox -m 750 /var/cache/secubox
    systemctl daemon-reload
    # API daemon + periodic timer
    systemctl enable --now secubox-health-doctor.service || true
--- a/packages/secubox-hexo/debian/postinst
+++ b/packages/secubox-hexo/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create hexo data directory
    install -d -o root -g root -m 755 /srv/hexo/blogs
    # Ensure nginx secubox.d directory exists
--- a/packages/secubox-homeassistant/debian/postinst
+++ b/packages/secubox-homeassistant/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directories
    install -d -m 755 /srv/homeassistant
    install -d -m 755 /srv/homeassistant/config
--- a/packages/secubox-hub/debian/postinst
+++ b/packages/secubox-hub/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-hub.service
    systemctl start  secubox-hub.service || true
--- a/packages/secubox-jellyfin/debian/postinst
+++ b/packages/secubox-jellyfin/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Ensure nginx secubox.d directory exists
    install -d -m 755 /etc/nginx/secubox.d
    # Enable and start service
--- a/packages/secubox-jitsi/debian/postinst
+++ b/packages/secubox-jitsi/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create Jitsi data directory
    install -d -o root -g root -m 755 /srv/jitsi
    install -d -o root -g root -m 755 /srv/jitsi/recordings
--- a/packages/secubox-ksm/debian/postinst
+++ b/packages/secubox-ksm/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/ksm
    systemctl daemon-reload
    systemctl enable secubox-ksm.service
--- a/packages/secubox-localai/debian/postinst
+++ b/packages/secubox-localai/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directories
    install -d -m 755 /srv/localai
    install -d -m 755 /srv/localai/models
--- a/packages/secubox-lyrion/debian/postinst
+++ b/packages/secubox-lyrion/debian/postinst
@ -9,7 +9,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/lyrion
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-mac-guard/debian/postinst
+++ b/packages/secubox-mac-guard/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/mac-guard
    systemctl daemon-reload
    systemctl enable secubox-mac-guard.service
--- a/packages/secubox-mediaflow/debian/postinst
+++ b/packages/secubox-mediaflow/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-mediaflow.service
    systemctl start  secubox-mediaflow.service || true
--- a/packages/secubox-metabolizer/debian/postinst
+++ b/packages/secubox-metabolizer/debian/postinst
@ -5,10 +5,10 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/metabolizer
-    install -d -o secubox -g secubox -m 755 /etc/secubox
+    install -d -o secubox -g secubox -m 750 /etc/secubox
    systemctl daemon-reload
    systemctl enable secubox-metabolizer.service
    systemctl start  secubox-metabolizer.service || true
--- a/packages/secubox-metacatalog/debian/postinst
+++ b/packages/secubox-metacatalog/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/metacatalog
    systemctl daemon-reload
    systemctl enable secubox-metacatalog.service
--- a/packages/secubox-mirror/debian/postinst
+++ b/packages/secubox-mirror/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/mirrors
    install -d -o secubox -g secubox -m 750 /var/cache/secubox-mirror
    install -d -o secubox -g secubox -m 750 /etc/nginx/secubox-mirror.d
--- a/packages/secubox-mqtt/debian/postinst
+++ b/packages/secubox-mqtt/debian/postinst
@ -9,7 +9,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0750 -o root -g secubox /etc/secubox/secrets
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/mqtt
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-nac/debian/postinst
+++ b/packages/secubox-nac/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-nac.service
    systemctl start  secubox-nac.service || true
--- a/packages/secubox-netdata/debian/postinst
+++ b/packages/secubox-netdata/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-netdata.service
    systemctl start  secubox-netdata.service || true
--- a/packages/secubox-netdiag/debian/postinst
+++ b/packages/secubox-netdiag/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/netdiag
    systemctl daemon-reload
    systemctl enable secubox-netdiag.service
--- a/packages/secubox-netifyd/debian/postinst
+++ b/packages/secubox-netifyd/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/netifyd
    systemctl daemon-reload
    systemctl enable secubox-netifyd.service
--- a/packages/secubox-netmodes/debian/postinst
+++ b/packages/secubox-netmodes/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o root -g root -m 755 /var/lib/secubox/netmodes-backup
    install -d -o root -g root -m 755 /etc/secubox/netmodes
    systemctl daemon-reload
--- a/packages/secubox-nettweak/debian/postinst
+++ b/packages/secubox-nettweak/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/nettweak
    install -d -o root -g root -m 755 /etc/sysctl.d
    systemctl daemon-reload
--- a/packages/secubox-newsbin/debian/postinst
+++ b/packages/secubox-newsbin/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o root -g root -m 755 /srv/newsbin
    install -d -o root -g root -m 755 /srv/downloads/usenet
    install -d -o root -g root -m 755 /srv/downloads/usenet/complete
--- a/packages/secubox-ollama/debian/postinst
+++ b/packages/secubox-ollama/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Ensure nginx secubox.d directory exists
    install -d -m 755 /etc/nginx/secubox.d
    # Enable and start service
--- a/packages/secubox-peertube/debian/postinst
+++ b/packages/secubox-peertube/debian/postinst
@ -8,12 +8,11 @@ if [ "$1" = "configure" ]; then
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Runtime + state directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    # Do NOT reset /etc/secubox — secubox-core owns it as secubox:secubox 0750
    # (the users-engine needs dir-write for atomic users.json saves / TOTP).
    # Only create as a fallback if it's somehow missing.
-    [ -d /etc/secubox ] || install -d -o secubox -g secubox -m 755 /etc/secubox
+    [ -d /etc/secubox ] || install -d -o secubox -g secubox -m 750 /etc/secubox
    # nginx snippet directory (peertube.conf shipped by the package lands here)
    install -d -m 755 /etc/nginx/secubox.d
--- a/packages/secubox-photoprism/debian/postinst
+++ b/packages/secubox-photoprism/debian/postinst
@ -7,12 +7,12 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Do NOT reset /etc/secubox — secubox-core owns it as secubox:secubox 0750
    # (the users-engine needs dir-write for atomic users.json saves / TOTP).
    # Only create as a fallback if it's somehow missing.
-    [ -d /etc/secubox ] || install -d -o secubox -g secubox -m 755 /etc/secubox
+    [ -d /etc/secubox ] || install -d -o secubox -g secubox -m 750 /etc/secubox
    # #319 /data migration: move legacy /srv/photoprism → /data/photoprism and
    # leave a back-compat symlink. Idempotent.
--- a/packages/secubox-picobrew/debian/postinst
+++ b/packages/secubox-picobrew/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directories for picobrew
    install -d -o secubox -g secubox -m 755 /var/lib/secubox/picobrew
    install -d -o secubox -g secubox -m 755 /var/lib/secubox/picobrew/sensors
--- a/packages/secubox-portal/debian/postinst
+++ b/packages/secubox-portal/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-portal.service
    systemctl start secubox-portal.service || true
--- a/packages/secubox-qos/debian/postinst
+++ b/packages/secubox-qos/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-qos.service
    systemctl start  secubox-qos.service || true
--- a/packages/secubox-rbs-sensor/debian/postinst
+++ b/packages/secubox-rbs-sensor/debian/postinst
@ -10,7 +10,7 @@ case "$1" in
        # dialout: needed for /dev/ttyUSB* access when the EP06 enumerates
        usermod -aG dialout secubox 2>/dev/null || true
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/rbs-sensor
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-reporter/debian/postinst
+++ b/packages/secubox-reporter/debian/postinst
@ -5,11 +5,11 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/reports
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/reporter
-    install -d -o secubox -g secubox -m 755 /etc/secubox
+    install -d -o secubox -g secubox -m 750 /etc/secubox
    systemctl daemon-reload
    systemctl enable secubox-reporter.service
    systemctl start  secubox-reporter.service || true
--- a/packages/secubox-routes/debian/postinst
+++ b/packages/secubox-routes/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-routes.service
    systemctl start  secubox-routes.service || true
--- a/packages/secubox-rustdesk/debian/postinst
+++ b/packages/secubox-rustdesk/debian/postinst
@ -6,7 +6,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/rustdesk
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-saas-relay/debian/postinst
+++ b/packages/secubox-saas-relay/debian/postinst
@ -4,9 +4,7 @@ case "$1" in
  configure)
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox /var/lib/secubox /var/lib/secubox/saas-relay
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/lib/secubox/saas-relay
    install -d -o secubox -g secubox -m 700 /etc/secubox/secrets
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/saas-relay
    systemctl daemon-reload
--- a/packages/secubox-sentinelle-gsm/debian/postinst
+++ b/packages/secubox-sentinelle-gsm/debian/postinst
@ -12,7 +12,7 @@ case "$1" in
        # daemon can claim the USB device when v0.2 wires the SDR I/O.
        usermod -aG plugdev secubox 2>/dev/null || true
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0750 -o root -g secubox /etc/secubox/secrets
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/sentinelle-gsm
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-smtp-relay/debian/postinst
+++ b/packages/secubox-smtp-relay/debian/postinst
@ -5,9 +5,9 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
-    install -d -o secubox -g secubox -m 755 /etc/secubox
+    install -d -o secubox -g secubox -m 750 /etc/secubox
    systemctl daemon-reload
    systemctl enable secubox-smtp-relay.service
    systemctl start  secubox-smtp-relay.service || true
--- a/packages/secubox-soc-agent/debian/postinst
+++ b/packages/secubox-soc-agent/debian/postinst
@ -17,7 +17,7 @@ case "$1" in
        # Ensure log directory exists with correct permissions
        mkdir -p /var/log/secubox
        chown root:adm /var/log/secubox
-        chmod 0755 /var/log/secubox
+        chmod 750 /var/log/secubox
        # Create config directory
        mkdir -p /etc/secubox
--- a/packages/secubox-soc-gateway/debian/postinst
+++ b/packages/secubox-soc-gateway/debian/postinst
@ -17,7 +17,7 @@ case "$1" in
        # Ensure log directory exists with correct permissions
        mkdir -p /var/log/secubox
        chown root:adm /var/log/secubox
-        chmod 0755 /var/log/secubox
+        chmod 750 /var/log/secubox
        # Create config directory
        mkdir -p /etc/secubox
--- a/packages/secubox-streamforge/debian/postinst
+++ b/packages/secubox-streamforge/debian/postinst
@ -4,8 +4,7 @@ case "$1" in
  configure)
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /srv/streamlit/apps
    systemctl daemon-reload
    systemctl enable secubox-streamforge.service
--- a/packages/secubox-streamlit/debian/postinst
+++ b/packages/secubox-streamlit/debian/postinst
@ -4,8 +4,7 @@ case "$1" in
  configure)
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    install -d -o secubox -g secubox -m 755 /srv/streamlit/apps /srv/streamlit/logs
    install -d -o secubox -g secubox -m 755 /var/log/secubox
    install -d -o root -g root -m 755 /etc/secubox
--- a/packages/secubox-system/debian/postinst
+++ b/packages/secubox-system/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-system.service
    systemctl start  secubox-system.service || true
--- a/packages/secubox-torrent/debian/postinst
+++ b/packages/secubox-torrent/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /var/cache/secubox/torrent
    # Create data directories
    install -d -m 755 /srv/torrent/config
--- a/packages/secubox-ui-manager/debian/postinst
+++ b/packages/secubox-ui-manager/debian/postinst
@ -15,7 +15,7 @@ case "$1" in
        # Create log directory
        mkdir -p /var/log/secubox
-        chmod 0755 /var/log/secubox
+        chmod 750 /var/log/secubox
        # Create config directory
        mkdir -p /etc/secubox/ui
--- a/packages/secubox-users/debian/postinst
+++ b/packages/secubox-users/debian/postinst
@ -7,7 +7,7 @@ case "$1" in
        getent group secubox >/dev/null || groupadd --system secubox
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        # Run v1 → v2 migration (idempotent)
        python3 - <<'PYEOF' || echo 'WARN: migration step failed — investigate /etc/secubox/users.json'
--- a/packages/secubox-vhost/debian/postinst
+++ b/packages/secubox-vhost/debian/postinst
@ -5,8 +5,8 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    systemctl daemon-reload
    systemctl enable secubox-vhost.service
    systemctl start  secubox-vhost.service || true
--- a/packages/secubox-voip/debian/postinst
+++ b/packages/secubox-voip/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    install -d -o secubox -g secubox -m 750 /srv/voip
    # Ensure nginx secubox.d directory exists
    install -d -m 755 /etc/nginx/secubox.d
--- a/packages/secubox-webradio/debian/postinst
+++ b/packages/secubox-webradio/debian/postinst
@ -7,8 +7,8 @@ case "$1" in
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
    # Create runtime directories
-    install -d -o root -g root -m 1777 /run/secubox
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # Create data directories
    install -d -o secubox -g secubox -m 755 /var/lib/secubox/webradio
    install -d -o secubox -g secubox -m 755 /var/lib/secubox/webradio/recordings
--- a/packages/secubox-yacy/debian/postinst
+++ b/packages/secubox-yacy/debian/postinst
@ -8,7 +8,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/yacy
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/packages/secubox-zigbee/debian/postinst
+++ b/packages/secubox-zigbee/debian/postinst
@ -9,7 +9,7 @@ case "$1" in
        getent passwd secubox >/dev/null || useradd --system --gid secubox \
            --home /var/lib/secubox --no-create-home --shell /usr/sbin/nologin secubox
-        install -d -o secubox -g secubox -m 755 /etc/secubox
+        install -d -m 0770 -o root -g secubox /etc/secubox
        install -d -m 0750 -o root -g secubox /etc/secubox/secrets
        install -d -m 0755 -o secubox -g secubox /var/lib/secubox/zigbee
        install -d -m 0755 -o secubox -g secubox /var/log/secubox
--- a/scripts/new-package.sh
+++ b/scripts/new-package.sh
@ -201,15 +201,9 @@ case "$1" in
    id -u secubox >/dev/null 2>&1 || \
      adduser --system --group --no-create-home \
        --home /var/lib/secubox --shell /usr/sbin/nologin secubox
-    # Create runtime directories.
+    # Create runtime directories
-    # NOTE (#623): these are SHARED parents — keep them traversable for every
+    install -d -o secubox -g secubox -m 750 /run/secubox
-    # secubox-* daemon. /run/secubox MUST stay 1777 (world-writable sticky, all
+    install -d -o secubox -g secubox -m 750 /var/lib/secubox
    # services drop sockets there, ref #471); /var/lib/secubox MUST stay 0755.
    # NEVER set a shared parent to 0750/0700 — it breaks traversal for non-secubox
    # users (kbin/toolbox 500). Module-private leaves (/var/lib/secubox/PKGNAME)
    # may be 0750. Re-asserting 0755/1777 here is idempotent + self-healing.
    install -d -o root -g root -m 1777 /run/secubox
    install -d -o secubox -g secubox -m 755 /var/lib/secubox
    # Ensure nginx secubox.d directory exists
    install -d -m 755 /etc/nginx/secubox.d
    # Enable and start service