FTL database shouldn't be readable by unprivileged users
orazioedoardo opened this issue · 8 comments
Expected behavior
FTL database is private.
Actual behavior / bug
Any users on the system can read the database and gather information about pihole usage patters, domains visited, etc.
Steps to reproduce
Observe that the database at /etc/pihole/pihole-FTL.db
has -rw-rw-r--
permissions.
Additional context
DNS logs are already configured with -rw-r-----
but the database contains a lot more data and for a longer timespan.
This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.
Still relevant
Thanks for your suggestion and sorry for the huge delay. I will make sure to submit this as a change into the currently running public Pi-hole v6.0 beta round.
This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.
Apaprently the never-stale label does not work here.. changed to a known working one for now
Note about the never-stale
label:
Apaprently the never-stale label does not work here
never-stale
is missing for issues:
pi-hole/.github/workflows/stale.yml
Line 27 in 5490a6e
There is a different workflow for PRs. That workflow has a different set of labels and includes never-stale
:
pi-hole/.github/workflows/stale_pr.yml
Line 31 in 5490a6e
Somewhat related: /etc/pihole/setupVars.conf
contains the password hash of the web interface, and is world-readable. This can make it easier to brute force the password.
Could it be a solution to make the files in /etc/pihole/
readable by members of the pihole
group only? The LIGHTTPD_USER
is already a member of the pihole
group anyway, so the web interface should be compatible with this change:
https://github.com/pi-hole/pi-hole/blob/master/automated%20install/basic-install.sh#L1923
@orazioedoardo Sorry for the (very!) large delay, I just found this ticket in my todo list and created pi-hole/FTL#1955
@Iksas this has already been implemented in Pi-hole v6.0