Pihole -up: Permission denied

jpgpi250 · November 13, 2023, 10:23am

DL6ER · November 13, 2023, 11:46am

Could you show us

ls -lah /etc/pihole

?

jpgpi250 · November 13, 2023, 4:23pm

total 191M
drwxr-xr-x   4 pihole pihole  12K Nov 13 17:22 .
drwxr-xr-x 121 root   root    12K Nov  8 09:41 ..
-rw-rw----   1 pihole pihole   65 Nov  4 11:16 adlists.list
drwxr-xr-x   2 pihole pihole 4.0K Nov 13 11:24 config_backups
-rw-rw----   1 pihole pihole 1.7K Nov 13 11:24 custom.list
-rw-rw----   1 pihole pihole    2 Feb  1  2020 custom.list.bck
-rw-rw----   1 pihole pihole    0 Oct 15 09:14 dhcp.leases
-rw-r--r--   1 pihole pihole 4.7K Nov 13 11:24 dnsmasq.conf
-rw-rw----   1 pihole pihole  651 Nov 13 09:45 dns-servers.conf
-rw-rw----   1 pihole pihole   15 Nov  4 11:14 ftlbranch
-rw-rw----   1 pihole pihole  75M Nov 13 09:48 gravity.db
-rw-rw----   1 pihole pihole 8.4M Oct 15 09:14 gravity.db.org
-rw-rw----   1 pihole pihole  75M Nov 12 08:44 gravity_old.db
-rw-rw----   1 pihole pihole  408 Nov 13 09:45 install.log
-rw-rw----   1 pihole pihole 3.3M Nov 13 09:45 list.1.raw.githubusercontent.com.domains
-rw-rw----   1 pihole pihole   95 Nov 13 09:45 list.1.raw.githubusercontent.com.domains.sha1
-rw-rw----   1 pihole pihole  23M Nov 13 09:46 list.2.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:46 list.2.local.domains.sha1
-rw-rw----   1 pihole pihole 6.7K Nov 13 09:46 list.3.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:46 list.3.local.domains.sha1
-rw-rw----   1 pihole pihole  107 Nov 13 09:47 list.4.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.4.local.domains.sha1
-rw-rw----   1 pihole pihole 231K Nov 13 09:47 list.5.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.5.local.domains.sha1
-rw-rw----   1 pihole pihole  17K Nov 13 09:47 list.6.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.6.local.domains.sha1
-rw-rw----   1 pihole pihole 7.0K Nov 13 09:48 list.7.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:48 list.7.local.domains.sha1
-rw-rw----   1 pihole pihole   65 Nov 13 09:48 local.list
-rw-r--r--   1 root   root    241 Oct 15 09:13 logrotate
-rw-rw----   1 pihole pihole 3.0M Nov 13 09:45 macvendor.db
drwxr-xr-x   2 pihole pihole 4.0K Oct 15 09:14 migration_backup
-rw-rw----   1 pihole pihole  187 Mar 25  2023 mylists.list
-rw-rw----   1 pihole pihole 1.9K Oct 15 09:56 pihole-FTL.conf.bak
-rw-rw----   1 pihole pihole 1.9K Nov  4 10:13 pihole-FTL.conf.bck
-rw-rw-r--   1 pihole pihole 4.7M Nov 13 17:22 pihole-FTL.db
-rw-rw----   1 pihole pihole  41K Nov 13 11:24 pihole.toml
-rw-rw----   1 pihole pihole  41K Nov  5 09:42 pihole.toml.bak
-rw-rw----   1 pihole pihole  41K Nov  4 11:53 pihole.toml.org
-rw-rw----   1 pihole pihole 1.3K Oct 15 09:16 regex.list
-rw-rw----   1 pihole pihole  406 Nov  4 09:36 setupVars.conf
-rw-rw----   1 pihole pihole  664 Nov  4 11:16 tls.crt
-rw-rw----   1 pihole pihole  952 Nov  4 11:16 tls.pem
-rw-rw----   1 pihole pihole  382 Nov 13 17:20 versions

DL6ER · November 13, 2023, 8:56pm

Okay, you did not run sudo pihole -up so the permission error is actually expected. We need to either do an auto-sudo (as we do in v5 IIRC) or abort early, asking the user to run the command with sudo instead. With pihole-FTL --config we do the latter.

yubiuser · November 13, 2023, 9:20pm

pihole -up should acquire sudo when being executes ad non-root.

need_root=1 is still set.

github.com

pi-hole/pi-hole/blob/834e52f15d6e9391fddd305dce3c4622b6e09703/pihole#L567-L571


      
          if [[ ! $EUID -eq 0 && need_root -eq 1 ]];then
            if [[ -x "$(command -v sudo)" ]]; then
              exec sudo bash "$0" "$@"
              exit $?
            else

yubiuser · November 13, 2023, 9:21pm

The issue here is, that it fails to source the file

github.com

pi-hole/pi-hole/blob/834e52f15d6e9391fddd305dce3c4622b6e09703/pihole#L26-L31


      
          if [ -f "${versionsfile}" ]; then
              # Only source versionsfile if the file exits
              # fixes a warning during installation where versionsfile does not exist yet
              # but gravity calls `pihole -status` and thereby sourcing the file
              source "${versionsfile}"
          fi

The version file should have global read permission (so even other users can source it)

-rw-r--r--  1 pihole pihole  379 13. Nov 20:39 versions

yubiuser · November 13, 2023, 9:27pm

We have a conflict between

github.com

pi-hole/pi-hole/blob/834e52f15d6e9391fddd305dce3c4622b6e09703/advanced/Templates/pihole-FTL-prestart.sh#L17


      
          . "${utilsfile}"
          
          # Get file paths
          FTL_PID_FILE="$(getFTLPIDFile)"
          
          # Ensure that permissions are set so that pihole-FTL can edit all necessary files
          # shellcheck disable=SC2174
          mkdir -pm 0640 /var/log/pihole
          chown -R pihole:pihole /etc/pihole /var/log/pihole
          chmod -R 0640 /var/log/pihole
          chmod -R 0660 /etc/pihole
          
          # Logrotate config file need to be owned by root and must not be writable by group and others
          chown root:root /etc/pihole/logrotate
          chmod 0644 /etc/pihole/logrotate
          
          # allow all users to enter the directories
          chmod 0755 /etc/pihole /var/log/pihole
          
          # allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs)
          # credits https://stackoverflow.com/a/11512211

and

github.com

pi-hole/pi-hole/blob/834e52f15d6e9391fddd305dce3c4622b6e09703/advanced/Scripts/updatecheck.sh#L46-L49


      
          # Create new versions file if it does not exist
          VERSION_FILE="/etc/pihole/versions"
          touch "${VERSION_FILE}"
          chmod 644 "${VERSION_FILE}"

DL6ER · November 13, 2023, 9:31pm

I think 0660 is better and we should be root here - he/she/it can read (almost) everything regardless of permissions

yubiuser · November 13, 2023, 10:29pm

No, 644 (or 664) is the way to go. The warning is triggered right at the start of the pihole script where the file is sourced. At this point, no elevated privileges are needed.

DL6ER · November 14, 2023, 6:48pm

My point vs. yours is safety. It is surely debatable but I don't think arbitrary users on a system should be able to read the content of /etc/pihole - this also has privacy implications when they can read the database, etc. My point is that pihole -up is going to do something where elevated privileges are necessary so it shouldn't be an issue to do it early on.

Similarly, I don't think you could get apt upgrade to tell you if there are updates (even if there are none!) without sudo.

Other examples are, for instance, wireguard where non-root users can not even enter/list the content of /etc/wireguard, let alone reading the files themselves.

DanSchaper · November 14, 2023, 7:25pm

640 is preferrable if it causes no issues.

apt list --upgradable is a non-root user command. No idea why...

yubiuser · November 14, 2023, 7:48pm

That's the issue here: it does.
I tried to explain it above, but will again. We source /etc/pihole/version right at the beginning of every pihole invocation. If a normal non-pihole user does it, it will error as they are not allowed to read the file. Later we decide based on the arguments passed (e.g. -v, -up, -g) if pihole needs root permissions or not.E.g. pihole -up does need root. But pihole -v does not.

We source the versions file to determine if the command is executed from the docker container and block certain functions. There might be other reasons to source it, but this one I know for sure.
If we decide to go 640 we need to source it at multiple locations during the script.