From e70981d80f3f9d4c42a5bbb74651ae2ed489e6da Mon Sep 17 00:00:00 2001 From: MichaIng Date: Mon, 24 Feb 2025 17:01:17 +0100 Subject: [PATCH 1/6] Do not overwrite TLS cert/key mode FTL correctly creates the cert and especially private key with 0600 mode. But the prestart scripts changes it to 0660. After removing the dedicated webserver from Pi-hole setups, the pihole group has no purpose anymore, and files should not be writable to any other user than pihole itself, and the private TLS key not reasable to anyone else either. Additionally, this commit consolidates the chmod calls, applying 0755 to all directories and 0640 to all files, but the TLS key and cert. Signed-off-by: MichaIng --- advanced/Templates/pihole-FTL-prestart.sh | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) mode change 100755 => 100644 advanced/Templates/pihole-FTL-prestart.sh diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh old mode 100755 new mode 100644 index f0bbe09a..ab449dfe --- a/advanced/Templates/pihole-FTL-prestart.sh +++ b/advanced/Templates/pihole-FTL-prestart.sh @@ -10,22 +10,14 @@ utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh" FTL_PID_FILE="$(getFTLConfigValue files.pid)" # Ensure that permissions are set so that pihole-FTL can edit all necessary files -# shellcheck disable=SC2174 -mkdir -pm 0640 /var/log/pihole +mkdir -p /var/log/pihole chown -R pihole:pihole /etc/pihole /var/log/pihole -chmod -R 0640 /var/log/pihole -chmod -R 0660 /etc/pihole +find /etc/pihole /var/log/pihole -type d -exec chmod 0755 {} + +find /etc/pihole /var/log/pihole -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + +find /etc/pihole /var/log/pihole -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + -# Logrotate config file need to be owned by root and must not be writable by group and others +# Logrotate config file need to be owned by root chown root:root /etc/pihole/logrotate -chmod 0644 /etc/pihole/logrotate - -# allow all users to enter the directories -chmod 0755 /etc/pihole /var/log/pihole - -# allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs) -# credits https://stackoverflow.com/a/11512211 -find /etc/pihole/ -type d -exec chmod 0755 {} \; # Touch files to ensure they exist (create if non-existing, preserve if existing) [ -f "${FTL_PID_FILE}" ] || install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}" From 65bcb24d0e461ddc87665b1f5f6a4e99f8446a5b Mon Sep 17 00:00:00 2001 From: MichaIng Date: Mon, 24 Feb 2025 17:28:33 +0100 Subject: [PATCH 2/6] Fix test Do not check whether the pihole user can read /etc/pihole/logrotate. It needs to be readable by root only, which is always true. Signed-off-by: MichaIng --- test/test_any_automated_install.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/test/test_any_automated_install.py b/test/test_any_automated_install.py index 73da7eef..c656fe88 100644 --- a/test/test_any_automated_install.py +++ b/test/test_any_automated_install.py @@ -127,10 +127,6 @@ def test_installPihole_fresh_install_readableFiles(host): check_localversion = test_cmd.format("r", "/etc/pihole/versions", piholeuser) actual_rc = host.run(check_localversion).rc assert exit_status_success == actual_rc - # readable logrotate - check_logrotate = test_cmd.format("r", "/etc/pihole/logrotate", piholeuser) - actual_rc = host.run(check_logrotate).rc - assert exit_status_success == actual_rc # readable macvendor.db check_macvendor = test_cmd.format("r", "/etc/pihole/macvendor.db", piholeuser) actual_rc = host.run(check_macvendor).rc From 0b380d671d273d529e6a0cece9fca7b7dc6e2e77 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Mon, 24 Feb 2025 17:34:32 +0100 Subject: [PATCH 3/6] Follow symlinks with find Incorporating https://github.com/pi-hole/pi-hole/pull/5997 Signed-off-by: MichaIng --- advanced/Templates/pihole-FTL-prestart.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) mode change 100644 => 100755 advanced/Templates/pihole-FTL-prestart.sh diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh old mode 100644 new mode 100755 index ab449dfe..8855481b --- a/advanced/Templates/pihole-FTL-prestart.sh +++ b/advanced/Templates/pihole-FTL-prestart.sh @@ -12,9 +12,9 @@ FTL_PID_FILE="$(getFTLConfigValue files.pid)" # Ensure that permissions are set so that pihole-FTL can edit all necessary files mkdir -p /var/log/pihole chown -R pihole:pihole /etc/pihole /var/log/pihole -find /etc/pihole /var/log/pihole -type d -exec chmod 0755 {} + -find /etc/pihole /var/log/pihole -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + -find /etc/pihole /var/log/pihole -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + +find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} + +find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + +find /etc/pihole/ /var/log/pihole/ -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + # Logrotate config file need to be owned by root chown root:root /etc/pihole/logrotate From 232d581916aef4828288e5045e65263fc47b3519 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Wed, 26 Feb 2025 12:25:51 +0100 Subject: [PATCH 4/6] Re-add comment about execute bit on directory Co-authored-by: Dominik Signed-off-by: MichaIng --- advanced/Templates/pihole-FTL-prestart.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh index 8855481b..5c6bd909 100755 --- a/advanced/Templates/pihole-FTL-prestart.sh +++ b/advanced/Templates/pihole-FTL-prestart.sh @@ -12,6 +12,7 @@ FTL_PID_FILE="$(getFTLConfigValue files.pid)" # Ensure that permissions are set so that pihole-FTL can edit all necessary files mkdir -p /var/log/pihole chown -R pihole:pihole /etc/pihole /var/log/pihole +# allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs) find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} + find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + find /etc/pihole/ /var/log/pihole/ -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + From 83a38bb71d3cf849b8e968eb56b9404a42675395 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Wed, 26 Feb 2025 12:26:50 +0100 Subject: [PATCH 5/6] Add comment about file permissions Co-authored-by: Dominik Signed-off-by: MichaIng --- advanced/Templates/pihole-FTL-prestart.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh index 5c6bd909..07b28bbb 100755 --- a/advanced/Templates/pihole-FTL-prestart.sh +++ b/advanced/Templates/pihole-FTL-prestart.sh @@ -14,6 +14,7 @@ mkdir -p /var/log/pihole chown -R pihole:pihole /etc/pihole /var/log/pihole # allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs) find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} + +# Set all files (except TLS-related ones) to u+rw g+r find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + find /etc/pihole/ /var/log/pihole/ -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + From ad6a48b219ea24cb7069eff10e698c16cf80534d Mon Sep 17 00:00:00 2001 From: MichaIng Date: Wed, 26 Feb 2025 20:59:32 +0100 Subject: [PATCH 6/6] Add comment about TLS-related file permissions Co-authored-by: Dominik Signed-off-by: MichaIng --- advanced/Templates/pihole-FTL-prestart.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh index 07b28bbb..1abafd28 100755 --- a/advanced/Templates/pihole-FTL-prestart.sh +++ b/advanced/Templates/pihole-FTL-prestart.sh @@ -16,6 +16,7 @@ chown -R pihole:pihole /etc/pihole /var/log/pihole find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} + # Set all files (except TLS-related ones) to u+rw g+r find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} + +# Set TLS-related files to a more restrictive u+rw *only* (they may contain private keys) find /etc/pihole/ /var/log/pihole/ -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} + # Logrotate config file need to be owned by root