Could you show us
ls -lah /etc/pihole
?
total 191M
drwxr-xr-x 4 pihole pihole 12K Nov 13 17:22 .
drwxr-xr-x 121 root root 12K Nov 8 09:41 ..
-rw-rw---- 1 pihole pihole 65 Nov 4 11:16 adlists.list
drwxr-xr-x 2 pihole pihole 4.0K Nov 13 11:24 config_backups
-rw-rw---- 1 pihole pihole 1.7K Nov 13 11:24 custom.list
-rw-rw---- 1 pihole pihole 2 Feb 1 2020 custom.list.bck
-rw-rw---- 1 pihole pihole 0 Oct 15 09:14 dhcp.leases
-rw-r--r-- 1 pihole pihole 4.7K Nov 13 11:24 dnsmasq.conf
-rw-rw---- 1 pihole pihole 651 Nov 13 09:45 dns-servers.conf
-rw-rw---- 1 pihole pihole 15 Nov 4 11:14 ftlbranch
-rw-rw---- 1 pihole pihole 75M Nov 13 09:48 gravity.db
-rw-rw---- 1 pihole pihole 8.4M Oct 15 09:14 gravity.db.org
-rw-rw---- 1 pihole pihole 75M Nov 12 08:44 gravity_old.db
-rw-rw---- 1 pihole pihole 408 Nov 13 09:45 install.log
-rw-rw---- 1 pihole pihole 3.3M Nov 13 09:45 list.1.raw.githubusercontent.com.domains
-rw-rw---- 1 pihole pihole 95 Nov 13 09:45 list.1.raw.githubusercontent.com.domains.sha1
-rw-rw---- 1 pihole pihole 23M Nov 13 09:46 list.2.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:46 list.2.local.domains.sha1
-rw-rw---- 1 pihole pihole 6.7K Nov 13 09:46 list.3.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:46 list.3.local.domains.sha1
-rw-rw---- 1 pihole pihole 107 Nov 13 09:47 list.4.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:47 list.4.local.domains.sha1
-rw-rw---- 1 pihole pihole 231K Nov 13 09:47 list.5.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:47 list.5.local.domains.sha1
-rw-rw---- 1 pihole pihole 17K Nov 13 09:47 list.6.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:47 list.6.local.domains.sha1
-rw-rw---- 1 pihole pihole 7.0K Nov 13 09:48 list.7.local.domains
-rw-rw---- 1 pihole pihole 75 Nov 13 09:48 list.7.local.domains.sha1
-rw-rw---- 1 pihole pihole 65 Nov 13 09:48 local.list
-rw-r--r-- 1 root root 241 Oct 15 09:13 logrotate
-rw-rw---- 1 pihole pihole 3.0M Nov 13 09:45 macvendor.db
drwxr-xr-x 2 pihole pihole 4.0K Oct 15 09:14 migration_backup
-rw-rw---- 1 pihole pihole 187 Mar 25 2023 mylists.list
-rw-rw---- 1 pihole pihole 1.9K Oct 15 09:56 pihole-FTL.conf.bak
-rw-rw---- 1 pihole pihole 1.9K Nov 4 10:13 pihole-FTL.conf.bck
-rw-rw-r-- 1 pihole pihole 4.7M Nov 13 17:22 pihole-FTL.db
-rw-rw---- 1 pihole pihole 41K Nov 13 11:24 pihole.toml
-rw-rw---- 1 pihole pihole 41K Nov 5 09:42 pihole.toml.bak
-rw-rw---- 1 pihole pihole 41K Nov 4 11:53 pihole.toml.org
-rw-rw---- 1 pihole pihole 1.3K Oct 15 09:16 regex.list
-rw-rw---- 1 pihole pihole 406 Nov 4 09:36 setupVars.conf
-rw-rw---- 1 pihole pihole 664 Nov 4 11:16 tls.crt
-rw-rw---- 1 pihole pihole 952 Nov 4 11:16 tls.pem
-rw-rw---- 1 pihole pihole 382 Nov 13 17:20 versions
Okay, you did not run sudo pihole -up
so the permission error is actually expected. We need to either do an auto-sudo
(as we do in v5 IIRC) or abort early, asking the user to run the command with sudo
instead. With pihole-FTL --config
we do the latter.
pihole -up
should acquire sudo
when being executes ad non-root.
need_root=1
is still set.
The issue here is, that it fails to source the file
The version file should have global read permission (so even other users can source it)
-rw-r--r-- 1 pihole pihole 379 13. Nov 20:39 versions
We have a conflict between
and
I think 0660
is better and we should be root
here - he/she/it can read (almost) everything regardless of permissions
No, 644
(or 664
) is the way to go. The warning is triggered right at the start of the pihole
script where the file is sourced. At this point, no elevated privileges are needed.
My point vs. yours is safety. It is surely debatable but I don't think arbitrary users on a system should be able to read the content of /etc/pihole
- this also has privacy implications when they can read the database, etc. My point is that pihole -up
is going to do something where elevated privileges are necessary so it shouldn't be an issue to do it early on.
Similarly, I don't think you could get apt upgrade
to tell you if there are updates (even if there are none!) without sudo
.
Other examples are, for instance, wireguard
where non-root
users can not even enter/list the content of /etc/wireguard
, let alone reading the files themselves.
640 is preferrable if it causes no issues.
apt list --upgradable
is a non-root user command. No idea why...
That's the issue here: it does.
I tried to explain it above, but will again. We source /etc/pihole/version
right at the beginning of every pihole
invocation. If a normal non-pihole user does it, it will error as they are not allowed to read the file. Later we decide based on the arguments passed (e.g. -v
, -up
, -g
) if pihole
needs root
permissions or not.E.g. pihole -up
does need root. But pihole -v
does not.
We source the versions
file to determine if the command is executed from the docker container and block certain functions. There might be other reasons to source it, but this one I know for sure.
If we decide to go 640
we need to source it at multiple locations during the script.