From b06337813d5e662e61269fdf5eabcd9bd9d0537c Mon Sep 17 00:00:00 2001
From: svefnz <svefnz@gmail.com>
Date: Thu, 26 Mar 2026 10:18:59 +0800
Subject: [PATCH] Fix hysteria config file permissions

---
 hy2.sh | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/hy2.sh b/hy2.sh
index 682177a..7352b96 100644
--- a/hy2.sh
+++ b/hy2.sh
@@ -387,6 +387,27 @@ backup_existing_config() {
   fi
 }
 
+set_config_permissions() {
+  local service_user service_group
+
+  service_user="$(systemctl show -p User --value "${SERVICE_NAME}" 2>/dev/null || true)"
+  service_user="${service_user//$'\n'/}"
+
+  if [[ -n "${service_user}" && "${service_user}" != "root" ]]; then
+    service_group="$(id -gn "${service_user}" 2>/dev/null || true)"
+    if [[ -n "${service_group}" ]]; then
+      chown root:"${service_group}" "${CONFIG_FILE}"
+      chmod 640 "${CONFIG_FILE}"
+      green "已按服务账户 ${service_user}:${service_group} 设置配置文件权限为 640"
+      return 0
+    fi
+  fi
+
+  chown root:root "${CONFIG_FILE}"
+  chmod 644 "${CONFIG_FILE}"
+  yellow "未识别到可用的服务账户组，已回退为 root:root 且权限 644"
+}
+
 render_userpass_block() {
   local indent="${1:-4}"
   local prefix="" entry username password
@@ -493,8 +514,7 @@ write_config() {
 
   render_config "$domain" "$email" "$cf_token" "$proxy_url" > "${CONFIG_FILE}"
 
-  chown root:root "${CONFIG_FILE}"
-  chmod 600 "${CONFIG_FILE}"
+  set_config_permissions
   green "配置已写入 ${CONFIG_FILE}"
 }