Do not add pihole user to web server group

[MichaIng]

By submitting this pull request, I confirm the following:

• I have read and understood the contributors guide, as well as this entire template.
• I have made only one major change in my proposed changes.
• I have commented my proposed changes within the code.
• I have tested my proposed changes, and have included unit tests where possible.
• I am willing to help maintain this change if there are issues with it later.
• I give this submission freely and claim no ownership.
• It is compatible with the EUPL 1.2 license
• I have squashed any insignificant commits. (git rebase)

Signed-off-by: MichaIng micha@dietpi.com

---

What does this PR aim to accomplish?:

• Cleanup + security
• The pihole user is currently added to www-data webserver group.
• This is and was never required: Full systemd support #2900 (comment)
  • As can be seen, after a fresh Pi-hole install with official v5 installer, the only three items with group = www-data + user != dietpi + higher group mode than "others" mode are /var/cache/lighttpd/compress/, /var/cache/lighttpd/uploads/, both with 750 modes, and /var/www/html with 775 mode. Hence as long as Pi-hole does not directly read one of the first two directories or writes to /var/www/html (excluding subdirs!), in fact the www-data group does not add any other permissions. I could not find any hint for both cases.
• Furthermore I tracked down the Git blame to when this usermod was actually added, to probably find some explanation: Full systemd support #2900 (comment)
  • It was added with the very first automated installer commit as part of the webserver install. At that time the user pi was added to www-data as a regular step to enable the default RPi login user administrating the webroot. The pihole user did not exist at that time and no service/process ran as pi user. The pihole was first introduced as fallback if the user pi does not exist, to have a similar pseudo-admin user on non-RPi devices. Full transition to pihole user was done later, using it as actual run user for services/processes again later. Adding it to www-data group was migrated over the years while the initial reason, to give the default login user some website admin capabilities, is not valid anymore.

How does this PR accomplish the above?:

• Remove obsolete usermod -a -G www-data pihole.

[dschaper]

Sounds good, we'll never know why it was added so we'll just have to go on trying to fix what we can.

[MichaIng]

Btw not a prove but an evidence that pihole user doesn't need to be in webserver group is that we never added it on DietPi and never faced related issues. With Pi-hole v5 it is required the other way round, which causes issues on DietPi v6.28 and is well documented in the code, but skipping usermod -aG www-data pihole still does not cause any issues.

[pralor-bot]

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-5-1-released/35577/1