From 821e6f5ae742876ec12be6e5b3387797284eb450 Mon Sep 17 00:00:00 2001
From: Cory Francis Myers <cory@freedom.press>
Date: Thu, 27 Feb 2025 10:57:28 -0800
Subject: [PATCH] fix(update-fedora-template-if-new): run as GUI user

---for parity with the case where the user has run the Qubes Updater
directly.  Without "runas", the new template's update log in
"/var/log/qubes/update-${TEMPLATE}.log" will by owned by root:qubes,
breaking subsequent updates that expect to be able to write to it as
user:qubes.
---
 securedrop_salt/sd-sys-vms.sls | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/securedrop_salt/sd-sys-vms.sls b/securedrop_salt/sd-sys-vms.sls
index 4fafcb83..7fbbb56e 100644
--- a/securedrop_salt/sd-sys-vms.sls
+++ b/securedrop_salt/sd-sys-vms.sls
@@ -14,6 +14,8 @@ include:
 {% set sd_supported_fedora_version = 'fedora-41' %}
 {% set sd_fedora_base_template = sd_supported_fedora_version + '-xfce' %}
 
+{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
+
 # Install latest templates required for SDW VMs.
 dom0-install-fedora-template:
   cmd.run:
@@ -33,6 +35,7 @@ set-fedora-template-as-default-mgmt-dvm:
 update-fedora-template-if-new:
   cmd.wait:
     - name: qubes-vm-update --quiet --force-update --targets {{ sd_fedora_base_template }}
+    - runas: {{ gui_user }}
     - require:
       - cmd: dom0-install-fedora-template
       # Update the mgmt-dvm setting first, to avoid problems during first update