[SOLVED] Is it possible for the user responsible for the web interface to run without sudo priveledge?

Imeguras · September 12, 2022, 4:04pm

The issue I am facing:

So basically, space is of the essence in my server, and i already had nginx installed, with a non default user, ill refer to it as Dan. Although i start pihole, nginx, and php socket with my default user which has sudo privs.

Dan doesn't have sudo priveledges, and although everything was smooth sailing when i try to do things like changing settings(for example the theme) it causes an error due to first php executing commands with sudo pihole but due to that specific command out right requiring sudo.

What causes pihole to outright require sudo for pihole -a? i know that it is supposed to be only for admins, but in this server, im the only one using it and since my website was homebrew, im scared to give Dan sudo priveledges.

I only interested in pihole as a dns server, and intend to open port 53 to the public in order to be able to block ads with other networks

Details about my system:

The system that is running on is a proxmox lxc container without priveledges, Linux 5.4.174-2-pve #1 SMP PVE 5.4.174-2 x86_64 heres the greeter and to shorten things its a debian distro in bullseye

Pihole is installed without docker, and ive disabled ufw for now in order to make troubleshooting easier

What I have changed since installing Pi-hole:

Ill split into two, in order to hopefully save time, the answer to this answer verbatum is in the second header

Details about changes before the current instalation

Initially i've tried to install pihole with docker, since i was afraid of pihole taking too much liberty and thinking that the server is dedicated to him, this failed as I only recently i have delt with proxmox(the server container was given to me).

After a lot of time wasted, discovering what an LXC entails, and more importantly that neither nesting nor priveledges were given to my container.

I decided to see some videos around pihole after its installed and decided to just do a plain installation through the curl command, at first i decided to run it with lighttp and just disable the already running nginx so i could free port 80 and have a "most default" case installment.

After noticing it wasnt working as i wanted to and that setting pihole with nginx was simpler due to me already having a bunch of stuff configured. i decided to uninstall lightp and port stuff to nginx

Things weren't working as i wanted to, i couldnt mess around the settings and everytime i wanted to do any kind of command i had to use my user instead of Dan.

There were also other issues like despite blocking some minor websites, a majority escaped despite the list being huge, (although i have a suspicion that i setted up cloudflare as the upstream while the router uses the isp dns so maybe cloudflare would reply these scame/ad websites dont exist while my isp would say they do). So i ended up reinstalling pyhole like 2 times to restart the process, and rebooting nginx and php7.4 service like 20 times

Details about changes after the current instalation

After the beforementioned reinstalls i ended up in my current state of affairs, i told pyhole to use 192.168.1.1 as the dns so that the router would be responsible for any dns upstream searches, i've told him to not install lightppd and then proceeded to configure nginx to use a subdomain of mine to refer to html.

I then added pyhole to Dan, and checked if i could finally touch themes through the interface, once again i couldn't set the theme

so i raged and gave ownership of etc/.pihole etc/pihole to dan:dan i also decided to change the gravity script in pyhole to replace chown pihole for Dan.

Then i ran and... no deal, i decided to calm myself and check if i could even execute pyhole -a as Dan and i then understood why i couldnt do it. I dont have sudo priveledges and apparently i need sudo to run that specific flag(? i can run pihole though), i also know that php executes sudo as i've tried to change it in a previous "installation" but thats the least of problems i guess

TL;DR

Disregarding security contexts, is it possible to run pihole -a without giving the webuser sudo? What would i need to change in order to do so?

Imeguras · September 12, 2022, 5:29pm

Well i figured it would be more difficult but after spending some time on it,fortunetely i was able to modify the scripts in order to force pihole to run without sudo its a bit more insecure. But i can now change things through the interface

Imeguras · September 12, 2022, 5:33pm

for people who stumble here, Ive changed a function in www/html/.../func.php which executes shell comands as sudo pihole

Then i changed a bunch of files in order to remove the chmods and chowns.

Most noticeably theres these lines meant to force a sudo context. I commented and i now im able to change themes, between other things

# Must be root to use this tool
if [[ ! $EUID -eq 0 ]];then
  if [[ -x "$(command -v sudo)" ]]; then
    exec sudo bash "$0" "$@"
    exit $?
  else
    echo -e "  ${CROSS} sudo is needed to run pihole commands.  Please run this script as root or install sudo."
    exit 1
  fi
fi

aspace · September 13, 2022, 10:24am

Now this is just my personal opinion but i would reconsider opening port 53 to the public internet if you just want to use filtering on other networks outside your home network consider using wireguard or openvpn (i personally use openvpn since wireguard doesn't play nice with dynamic dns) that way you can make sure no one else is using (or abusing your dns server).

yubiuser · September 13, 2022, 10:30am

@aspace is right. Don't open port 53. You're creating an open resolver which will be abused by bots within minutes for a DNS amplification attack.

A public facing DNS server likely violates the terms and conditions of your ISP or hosting solution. We at the Pi-hole project do not in any circumstance recommend, condone, or support public facing DNS with the project.

There are far too many ways someone can use it in a DNS based attack.

Companies like CF, OpenDNS, and Google have millions of dollars invested in their DNS server infrastructure to prevent this you as a one off user do not.

The recommended course of action for PERSONAL use is to use a VPN to allow use of pi-hole outside of the LAN there is a very well written guide located here

jfb · September 13, 2022, 12:11pm

Don't do this. Opening port 53 creates an open resolver. If you want to use your Pi-hole while away from your network, install a VPN client. We have two guides on our documentation page.

system · October 4, 2022, 12:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.