For Debian 10.4 and greater: chech if useradd command exists

In a fresh installation of a 10.4, the installation of pihole gives

Elaborazione dei trigger per mime-support (3.62)...
--------------------------------------------------------------------------------
  [✓] Enabling lighttpd service to start on reboot...
  [i] Creating user 'pihole'...main: riga 1893: useradd: comando non trovato
  [✗] Creating user 'pihole'

Plese note:

riga 1893: useradd: command non found

This because for securiry reasond there is NO /usr/sbin path in the default path of root user

# whereis useradd
useradd: /usr/sbin/useradd /usr/share/man/man8/useradd.8.gz

So I suggeest to

  • check if useradd command is available
  • if not use whreis to detect the presence of command
  • or at least stop installation if useradd fails

Looks like you've executed Pi-hole's installaton script from a shell with elevated priviliges (e.g. by su root).

You should be aware that starting with Debian Buster, su will not inherit environment settings as its predecessors did, see also the original su maintainer's comment on a related Debian bug report (wontfix).
EDIT: Qouting:

This change is intentional and aligns su with its documented behaviour. I would also like to stress that using plain 'su' is DANGEROUS because it means you're running a shell as root with the environment inherited from another user.
(...)
You should thus ALWAYS use 'su -' (or even better, don't use su at all in favour of other alternatives like 'sudo -i').

Pi-hole's installation script handles necessary access control itself, so there's no need to elevate to su (and that's not a good practice anyhow, prefer sudo over su whenever you can).

2 Likes

Debian 10 has not sudo preinstalled, so you cannot start install without be root

What Debian image did you use?

We're using debian-10.4.0-amd64-netinst.iso

pi@ph5:~ $ apt show passwd
[..]
Description: change and administer password and group data
 This package includes passwd, chsh, chfn, and many other programs to
 maintain password and group data.
 .
 Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian

What does below four output?

LC_ALL=C hostnamectl | tail -3

LC_ALL=C apt policy passwd

dpkg -L passwd | grep -v share

echo $PATH

EDIT: added one and run above ones with a non root user.

Don't install with the root user.

Don't use the net install image. That's too basic and a lot is missing to cram it in to such a small ISO.

Why is that ?
Isnt debian-10.4.0-amd64-netinst.iso just an ISO to boot from initially for installation.
I believe it allows you to select what you want to install like minimal or to desktop etc.
Its just the netinstall version of Debian instead of a full CDROM/DVD to boot from.
Attach the ISO to a VM and boot from it to install to desired disk location ... full or minimal.
At least thats how I install Debian in a VM.

EDIT: changed some

1 Like

Thanks. We will change our ansible playbook to deploy new machines to install sudo.

We are using netinst with some automation because is small and we need nothing else. We will try to do automation using full cd but we chooses netinst because it creates smallest footprint

I will update you we find problems

Please note that I keep in great value all your security suggestions. We never expose pihole directly but only using OpenVPN.

These vps are used only for this and no other entities has access to our machines. No end user accesses our vpa. Every install happens only with clean vps. No other sw is installed a parte pihole and OpenVPN.

So we are not risking nothing or not so much using a normal users. I think and hope. But I will change our deployment to accomplish better security .

Sure, if you use is as intended and boot it up, follow the prompts, download the additional packages and all that.

Using it as a template skips all that and all you get is the very minimal OS, which is fine but you then need to install the missing packages to even get the installer script to start up.

Just a friendly reminder, if you're sending user information (paid customers?) through Pi-hole and pihole-FTL is handling their DNS then you are required to provide those users with a copy of our copyrights.

Yes of course.
I dont believe that ISO is inteded to be used as a template for VM's.
But can understand some would make that mistake :smiley:

The issue is btw solved with the next Pi-hole release where all required locations are appended to the PATH variable: https://github.com/pi-hole/pi-hole/pull/3527
But yes, aside of that, never user su but sudo instead as a general recommendation, also for security reasons.

1 Like

Yes. We know. Also, there are no money involved. Long story, we're only helping people. Trust me.

Unfortunately I don't have the liberty of trusting people.

1 Like

What the suggested base debian image per VPS deploying? Could this be the right one?

https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-10.6.0-amd64-xfce-CD-1.iso.torrent