-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure pihole-FTL can write to all files in /etc/pihole, /run/pihole and /var/log/pihole #5356
Conversation
Signed-off-by: Christian König <ckoenig@posteo.de>
We should add a |
Signed-off-by: Christian König <ckoenig@posteo.de>
I added a second commit that will set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your change. I wonder though (this is entirely up for discussion!) if we should drop those chmod
s as well (read as: they are dropped here, but I think they shouldn't).
My initial idea would be that we should set 640
(u+rw,g+r
) on the log files but something more generous on the config files (like 660
-> u+rw,g+rw
) so that other users manually added the the group pihole
can edit such files.
What we currently do (granting read permissions for all) on the
macvendor.db
,dhcp.leases
, andFTL.log
shouldn't be needed.
If FTL.log
would contain query information (only if debug.queries = true
), one might very well even consider this a privacy issue - we should definitely have the last digit 0
for such files.
Summary: I don't think there is anything (also not custom.list
) that would need read permissions for all. 660
seems the way to go.
I agree with the requested changes in re-adding file permission. Having |
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
chmod -R 0640 /var/log/pihole | ||
chmod -R 0660 /etc/pihole /run/pihole | ||
# allow all users to enter der directories | ||
chmod 0755 /etc/pihole /var/log/pihole |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the reason for allowing other users from being able to access the directories when if they aren't allowed to read any files in there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My idea was: others can access the dir and get the names of the files within but not the actual content of the files.
Co-authored-by: DL6ER <dl6er@dl6er.de> Signed-off-by: Christian König <ckoenig@posteo.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but as @DL6ER last requested changes, will await his approval/not to merge
What does this PR aim to accomplish?:
In v5 we create
custom.list
with ownerroot
.pi-hole/automated install/basic-install.sh
Lines 1374 to 1380 in 8495565
However, in v6
FTL
needs to write to the file after dropping priviledges/as userpihole
.This PR sets the owner on installation to
pihole
and ensures that beforeFTL
is started the owner is set topihole
for existing files.P.S. We could also set a transition path v5 -> v6 to change owner of all files in
/etc/pihole/
topihole
instead ofroot
.By submitting this pull request, I confirm the following:
git rebase
)