From 63c6cc04232ebe2f63d3db766ebef4a3f899fdc2 Mon Sep 17 00:00:00 2001
From: Peter Ondrejka <pondrejk@redhat.com>
Date: Thu, 5 Mar 2026 08:03:55 -0500
Subject: [PATCH] Fixes #39132 - Do not rely on ACLs where not strictly
 necessary

---
 .../runners/script_runner.rb                             | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/smart_proxy_remote_execution_ssh/runners/script_runner.rb b/lib/smart_proxy_remote_execution_ssh/runners/script_runner.rb
index 30c0692..43f169d 100644
--- a/lib/smart_proxy_remote_execution_ssh/runners/script_runner.rb
+++ b/lib/smart_proxy_remote_execution_ssh/runners/script_runner.rb
@@ -420,8 +420,13 @@ def check_expecting_disconnect
     end
 
     def ensure_effective_user_access(*paths, mode: 'rx')
-      unless @user_method.is_a? NoopUserMethod
-        ensure_remote_command("setfacl -m u:#{@user_method.effective_user}:#{mode} #{paths.join(' ')}")
+      return if @user_method.is_a?(NoopUserMethod) || @user_method.effective_user == 'root'
+
+      paths_str = paths.join(' ')
+      if @user_method.ssh_user == 'root'
+        ensure_remote_command("chown #{@user_method.effective_user} #{paths_str} && chmod u=#{mode} #{paths_str}")
+      else
+        ensure_remote_command("setfacl -m u:#{@user_method.effective_user}:#{mode} #{paths_str}")
       end
     end
   end