I’m making a private server with a single repo just for personal notes and things so it really needs to be mostly done through the web, but it’s saying I don’t have write permission as the system user and I’m not sure why. Does anyone know why this might be or a settings I can look at?

but it’s saying I don’t have write permission as the system user and I’m not sure why.

You're going to need to provide us with more information before we can speculate. For example...

• How are you connecting to your repository: locall via "fossil ui" or "fossil server", or remotely via an HTTP(s) connection?
• Are you sure you're logged in?
• Are you sure your account has admin permissions?
• Which error message, precisely (not a paraphrasing), are you seeing and what exactly are you doing which triggers it?

It’s ran as

fossil server —jsmode bundled —user root —repolist /jail/museum

Accessed remotely via https using upgrade-insecure-requests in the csp because of mixed content errors.

I am logged in, it is private so login and password is required.

Root is the only user so yes it has admin.

The exact message is

Exception: Error: Write permissions required.

Thanks in advance for any guidance!

Also, does the directory have write permissions for the user running Fossil as a server? If it’s a CGI, it might need to be writable by the “apache” group, etc.

That may be an interesting point...

It's a fly.io volume, I can clone / sync / commit just fine but can't make changes on the hosted UI... Maybe the UI uses user permissions on the volume before changing anything but commit / sync from the cli doesn't?

The adaptation of my speculation above to the “fossil server” case is that your interactive user may not match your service-running user.

If they’re supposed to be the same, but you’re starting the service under systemd, you may have LHS based restrictions on writable directories, enforced by SELinux or similar. A service listening on port 80 might be restricted to writing under /var/db by such mechanisms, for example, in order to stop remote break-ins. That’s informed speculation; I had to work around a change in CentOS several years ago when the latest version would no longer let such a service write to /home.

Even if my guess is right in its essentials, it may be wildly off in its details. MAC systems like SELinux are highly-configurable policy enforcement engines. No two OSes need behave the same out of the box, and after local configuration, two instances of the same OS may differ as well.

Still arguing with it, but as an update, its specifically the wiki and editing files, the tech notes work just fine for some reason.

Editing the comment doesn't work, it doesn't show any errors but nothing changes. Also, selecting a button from /admin_sql works, but selecting Run SQL does not.

There are referrer header errors on chrome and safari, but not on firefox I've tried all 3.

Editing the comment doesn't work, it doesn't show any errors but nothing changes. Also, selecting a button from /admin_sql works, but selecting Run SQL does not.

Then i'm currently at a complete loss with no ideas left on what to try.

You mentioned using something called fly.io for storage? Is that networked storage? If so, all bets are off - sqlite is never (by most folks) recommended for use on networked storage. If it is indeed networked storage, please try reproducing this on local storage.

The fly.io volumes use a special distributed filesystem for sqlite dbs, as far as I understand each container gets its own copy of the db and reports back to the master but there's something in there to prevent race conditions and whatnot... Could be that is messing with it somehow, but not sure.

Seems amess whatever it is.

Thanks for your help, I'll be back if I figure anything out.

If you want to give it a shot fly.io is free99 for small stuff and pretty easy to use. fly launch from the repo, answer some questions fly volumes create jail --size 1, and you're there...

I didn't get a solution, but I did get more logs

SECURITY: authorizer blocks DML on table "sqlite_master" due to the request coming from a different origin

After that message, it shows the HTTP_HOST and the HTTP_REFERER are the same so not sure what it is trying to tell me..

Can you post the complete log message? If not, would you be willing to send the complete log message in a private email to drh at sqlite dot org and to stephan at sqlite dot org?

After that message, it shows the HTTP_HOST and the HTTP_REFERER are the same so not sure what it is trying to tell me..

Can you try running "fossil rebuild" on that repository and see if that resolves the warning?

sqlite_master will only(?) be updated if new tables are created or the schema needs updating.

Another thing to try, but this is a complete guess: if you've enable email notifications on that repository, try disabling them. My vague suspicion is that it's trying to a create notification of your change but can't because of the authorizer.

Why it's apparently mis-detecting the referrer mismatch is anyone guess, but if this is still happening on fly.io then please try it locally. Networked filesystems of any kind are a wildcard.