Pihole -up: Permission denied

Could you show us

ls -lah /etc/pihole

?

total 191M
drwxr-xr-x   4 pihole pihole  12K Nov 13 17:22 .
drwxr-xr-x 121 root   root    12K Nov  8 09:41 ..
-rw-rw----   1 pihole pihole   65 Nov  4 11:16 adlists.list
drwxr-xr-x   2 pihole pihole 4.0K Nov 13 11:24 config_backups
-rw-rw----   1 pihole pihole 1.7K Nov 13 11:24 custom.list
-rw-rw----   1 pihole pihole    2 Feb  1  2020 custom.list.bck
-rw-rw----   1 pihole pihole    0 Oct 15 09:14 dhcp.leases
-rw-r--r--   1 pihole pihole 4.7K Nov 13 11:24 dnsmasq.conf
-rw-rw----   1 pihole pihole  651 Nov 13 09:45 dns-servers.conf
-rw-rw----   1 pihole pihole   15 Nov  4 11:14 ftlbranch
-rw-rw----   1 pihole pihole  75M Nov 13 09:48 gravity.db
-rw-rw----   1 pihole pihole 8.4M Oct 15 09:14 gravity.db.org
-rw-rw----   1 pihole pihole  75M Nov 12 08:44 gravity_old.db
-rw-rw----   1 pihole pihole  408 Nov 13 09:45 install.log
-rw-rw----   1 pihole pihole 3.3M Nov 13 09:45 list.1.raw.githubusercontent.com.domains
-rw-rw----   1 pihole pihole   95 Nov 13 09:45 list.1.raw.githubusercontent.com.domains.sha1
-rw-rw----   1 pihole pihole  23M Nov 13 09:46 list.2.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:46 list.2.local.domains.sha1
-rw-rw----   1 pihole pihole 6.7K Nov 13 09:46 list.3.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:46 list.3.local.domains.sha1
-rw-rw----   1 pihole pihole  107 Nov 13 09:47 list.4.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.4.local.domains.sha1
-rw-rw----   1 pihole pihole 231K Nov 13 09:47 list.5.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.5.local.domains.sha1
-rw-rw----   1 pihole pihole  17K Nov 13 09:47 list.6.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:47 list.6.local.domains.sha1
-rw-rw----   1 pihole pihole 7.0K Nov 13 09:48 list.7.local.domains
-rw-rw----   1 pihole pihole   75 Nov 13 09:48 list.7.local.domains.sha1
-rw-rw----   1 pihole pihole   65 Nov 13 09:48 local.list
-rw-r--r--   1 root   root    241 Oct 15 09:13 logrotate
-rw-rw----   1 pihole pihole 3.0M Nov 13 09:45 macvendor.db
drwxr-xr-x   2 pihole pihole 4.0K Oct 15 09:14 migration_backup
-rw-rw----   1 pihole pihole  187 Mar 25  2023 mylists.list
-rw-rw----   1 pihole pihole 1.9K Oct 15 09:56 pihole-FTL.conf.bak
-rw-rw----   1 pihole pihole 1.9K Nov  4 10:13 pihole-FTL.conf.bck
-rw-rw-r--   1 pihole pihole 4.7M Nov 13 17:22 pihole-FTL.db
-rw-rw----   1 pihole pihole  41K Nov 13 11:24 pihole.toml
-rw-rw----   1 pihole pihole  41K Nov  5 09:42 pihole.toml.bak
-rw-rw----   1 pihole pihole  41K Nov  4 11:53 pihole.toml.org
-rw-rw----   1 pihole pihole 1.3K Oct 15 09:16 regex.list
-rw-rw----   1 pihole pihole  406 Nov  4 09:36 setupVars.conf
-rw-rw----   1 pihole pihole  664 Nov  4 11:16 tls.crt
-rw-rw----   1 pihole pihole  952 Nov  4 11:16 tls.pem
-rw-rw----   1 pihole pihole  382 Nov 13 17:20 versions

Okay, you did not run sudo pihole -up so the permission error is actually expected. We need to either do an auto-sudo (as we do in v5 IIRC) or abort early, asking the user to run the command with sudo instead. With pihole-FTL --config we do the latter.

pihole -up should acquire sudo when being executes ad non-root.

need_root=1 is still set.

The issue here is, that it fails to source the file

The version file should have global read permission (so even other users can source it)

-rw-r--r--  1 pihole pihole  379 13. Nov 20:39 versions

We have a conflict between

and

I think 0660 is better and we should be root here - he/she/it can read (almost) everything regardless of permissions

No, 644 (or 664) is the way to go. The warning is triggered right at the start of the pihole script where the file is sourced. At this point, no elevated privileges are needed.

My point vs. yours is safety. It is surely debatable but I don't think arbitrary users on a system should be able to read the content of /etc/pihole - this also has privacy implications when they can read the database, etc. My point is that pihole -up is going to do something where elevated privileges are necessary so it shouldn't be an issue to do it early on.

Similarly, I don't think you could get apt upgrade to tell you if there are updates (even if there are none!) without sudo.

Other examples are, for instance, wireguard where non-root users can not even enter/list the content of /etc/wireguard, let alone reading the files themselves.

640 is preferrable if it causes no issues.

apt list --upgradable is a non-root user command. No idea why...

That's the issue here: it does.
I tried to explain it above, but will again. We source /etc/pihole/version right at the beginning of every pihole invocation. If a normal non-pihole user does it, it will error as they are not allowed to read the file. Later we decide based on the arguments passed (e.g. -v, -up, -g) if pihole needs root permissions or not.E.g. pihole -up does need root. But pihole -v does not.

We source the versions file to determine if the command is executed from the docker container and block certain functions. There might be other reasons to source it, but this one I know for sure.
If we decide to go 640 we need to source it at multiple locations during the script.