mirror of
https://github.com/pi-hole/pi-hole.git
synced 2025-03-04 07:48:34 +00:00
e70981d80f
FTL correctly creates the cert and especially private key with 0600 mode. But the prestart scripts changes it to 0660. After removing the dedicated webserver from Pi-hole setups, the pihole group has no purpose anymore, and files should not be writable to any other user than pihole itself, and the private TLS key not reasable to anyone else either. Additionally, this commit consolidates the chmod calls, applying 0755 to all directories and 0640 to all files, but the TLS key and cert. Signed-off-by: MichaIng <micha@dietpi.com>
26 lines
1.2 KiB
Bash
26 lines
1.2 KiB
Bash
#!/usr/bin/env sh
|
|
|
|
# Source utils.sh for getFTLConfigValue()
|
|
PI_HOLE_SCRIPT_DIR='/opt/pihole'
|
|
utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
|
|
# shellcheck disable=SC1090
|
|
. "${utilsfile}"
|
|
|
|
# Get file paths
|
|
FTL_PID_FILE="$(getFTLConfigValue files.pid)"
|
|
|
|
# Ensure that permissions are set so that pihole-FTL can edit all necessary files
|
|
mkdir -p /var/log/pihole
|
|
chown -R pihole:pihole /etc/pihole /var/log/pihole
|
|
find /etc/pihole /var/log/pihole -type d -exec chmod 0755 {} +
|
|
find /etc/pihole /var/log/pihole -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} +
|
|
find /etc/pihole /var/log/pihole -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} +
|
|
|
|
# Logrotate config file need to be owned by root
|
|
chown root:root /etc/pihole/logrotate
|
|
|
|
# Touch files to ensure they exist (create if non-existing, preserve if existing)
|
|
[ -f "${FTL_PID_FILE}" ] || install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}"
|
|
[ -f /var/log/pihole/FTL.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/FTL.log
|
|
[ -f /var/log/pihole/pihole.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/pihole.log
|
|
[ -f /etc/pihole/dhcp.leases ] || install -m 644 -o pihole -g pihole /dev/null /etc/pihole/dhcp.leases
|