Skip to content

Commit

Permalink
Allow pihole user to run pihole command as the pihole user
Browse files Browse the repository at this point in the history 
Signed-off-by: Adam Warner <[email protected]>
  • Loading branch information
@PromoFaux
PromoFaux committed Jul 17, 2023
1 parent 348e27b commit 2b17817
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then FTLARCH=amd64; \

ADD https://ftl.pi-hole.net/macvendor.db /macvendor.db
COPY crontab.txt /crontab.txt
COPY pihole.sudo /etc/sudoers.d/pihole

RUN cd /etc/.pihole && \
install -Dm755 -d /opt/pihole && \
Expand Down
1 change: 1 addition & 0 deletions src/pihole.sudo
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
pihole ALL = NOPASSWD: /usr/local/bin/pihole"

3 comments on commit 2b17817

@Gontier-Julien
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May i suggest to use doas instead of sudo? It can do the same (of what there is currently) and is lighter to do it and should be more secure.

Alpine use the OpenDoas implementation (https://github.com/Duncaen/OpenDoas)

The variant file for pihole would look like this doing the same thing:

In /etc/doas.conf:

permit nopass pihole cmd /usr/local/bin/pihole

permit (allow the user) nopass (without password) pihole (the user) cmd (the command the user is allowed to execute) /usr/local/bin/pihole (the executable path)

@Gontier-Julien
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May i suggest to use doas instead of sudo? It can do the same (of what there is currently) and is lighter to do it and should be more secure.

Alpine use the OpenDoas implementation (https://github.com/Duncaen/OpenDoas)

The variant file for pihole would look like this doing the same thing:

In /etc/doas.conf:

permit nopass pihole cmd /usr/local/bin/pihole

permit (allow the user) nopass (without password) pihole (the user) cmd (the command the user is allowed to execute) /usr/local/bin/pihole (the executable path)

It should run as the pihole user by default with this command if i'm not mistaken, but if not just adding as pihole behind pihole and cmd should solve it ^^

@PromoFaux
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review/comments

Actually, on reflection - this issue was actually down to the ${USER} variable being blank inside the container (see pi-hole/pi-hole#5341) so the addition to the sudoers is actually no longer required - have just tested this on a fresh build without these changes.

start.sh actually needs to run as root to set a few things up first (though this could change in future), when pihole-FTL is run, then it is started as the pihole user.

We can take a look at doas in the future if we still require that kind of thing

Please sign in to comment.