-
-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pi-hole with PADD should not clutter up /var/log/auth.log #104
Comments
It does, any call to the |
Use this - sudo tee /etc/sudoers.d/020_pihole >/dev/null <<EOF
Cmnd_Alias PIHOLE = $(command -v pihole)
Defaults!PIHOLE syslog_goodpri=none, !pam_session
EOF
sudo chmod 0440 /etc/sudoers.d/020_pihole Now there should not be any entries in |
@thomasmerz Maybe What's the output of this - ps -o uid,user,comm `pgrep hole` |
That's right! I didn't took care of this in relation to this PR… 🤦🏻♂️ Output is (padd.sh is currently not running anymore):
|
@thomasmerz I told you to run - ps -o uid,user,comm `pgrep hole` But you ran - ps -o uid,user,comm | pgrep hole |
My fault, I'm sorry that I misunderstood. Here we go:
|
@subnut , do have any update on my answers above and my question:
|
@thomasmerz Sorry, totally forgot 😅 My guesses are -
|
pihole has uid=999 and is not equal to root. And "User pihole is not allowed to run sudo …" in my docker container. |
This issue is fixed two-fold:
|
My pi-hole system's auth.log was about 38 MB per day, which seems excessive.
Upon reviewing the log file, it appears that PADD runs 'pihole status web' every few seconds, which causes the "pi" user to call 'sudo' each time.
The pihole "status web" command should not require root in order to run. (At least not on Raspbian Buster; it may very well be required when running on other distros and platforms. I think this might be better to address within Pi-hole, but would open a larger can of worms.)
One fix is to just run padd.sh as root. However from a security policy perspective, that may not be ideal.
The workaround I've done was to edit ~./padd.sh function GetPiholeInformation():
With this change, my /var/log/auth.log file decreases to less than 40 KB per day. Much more manageable.
Related, but not as significant: during startup, PADD calls from GetVersionInformation(): "$(pihole -v -p)" and "$(pihole -v -a)" and "$(pihole -v -f)" which do unnecessary sudo calls. Replacing them with "$(/opt/pihole/version.sh -p)" and "$(/opt/pihole/version.sh -a)" and "$(/opt/pihole/version.sh -f)" reduces the sudo calls.
Perhaps the better place to address this would be in /usr/local/bin/pihole and have it not run sudo for options that don't require running as root. But I'm not sure if that would break things on other distros/platforms. Putting a workaround in PADD may break fewer systems, since users would have less variation between distros/platforms.
The text was updated successfully, but these errors were encountered: