[SOLVED] Pihole - "Sorry, user www-data is not allowed to execute "

Post Reply
storms
Posts: 5
Joined: Mon Jan 14, 2019 6:16 am
languages_spoken: english
Has thanked: 1 time
Been thanked: 0
Contact:

[SOLVED] Pihole - "Sorry, user www-data is not allowed to execute "

Unread post by storms » Mon Apr 15, 2019 3:30 am

Hey guys, so i'm having problems with my pihole FTL.
i have made an topic on the pihole forums in order to seek help.

https://discourse.pi-hole.net/t/ftl-say ... t/19126/17

we have been debuging the thing and one problem arrised and even the dev is not sure whats wrong.

if you read the thread above, the problem that we found is that when i try to do:

Code: Select all

sudo -u www-data pihole status

Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.
this is a FRESH minimal ubuntu install on the odroid-xu4
i just secured ssh, got the keys in, did tcp hardening (you can check the settings on the pihole forum thread) and installed ufw (its disabled so i can debug)

taking a look at the sudoers:

Code: Select all

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
in:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
taking a look at the
/etc/sudoers.d/pihole

Code: Select all

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Allows the WebUI to use Pi-hole commands
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
#
www-data ALL=NOPASSWD: /usr/local/bin/pihole
everything is "by the book" the files according to the dev are how they suppose to be, now for some reason www-data cant execute pihole.

one question that the dev raised was:
Maybe the content of your /etc/sudoers.d is not sourced somewhere?.
and at this point i am way out of my reach of knowledge, thats why i came to you guys.

thank you for taking the time to read this, i hope i get some much needed answers :)!
Last edited by storms on Mon Apr 15, 2019 7:58 am, edited 1 time in total.

User avatar
meveric
Posts: 9911
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1, N1, Go, N2
Has thanked: 1 time
Been thanked: 11 times
Contact:

Re: Pihole - "Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.

Unread post by meveric » Mon Apr 15, 2019 5:52 am

your /etc/sudoers.d/pihole file allows www-data to run a command with root permissions without asking for a password.

Normally www-data does not have root permission, means it can't run any application that requires root.
But with that file, it allows www-data to run one single command to run with sudo commad "/usr/local/bin/pihole"

So you're command would actually have to look like this:

Code: Select all

sudo -u www-data sudo pihole status
Which is quite hilarious considering that you ARE root, make yourself to "www-data" and then run a command as "root" :D

Simply running pihole status should work if you are connected as root via ssh.

btw: pihole was probably made with Debian in mind instead of Ubuntu and it might run better if you actually install it on a Debian instead of Ubuntu.
These users thanked the author meveric for the post:
storms (Mon Apr 15, 2019 10:12 pm)
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.

storms
Posts: 5
Joined: Mon Jan 14, 2019 6:16 am
languages_spoken: english
Has thanked: 1 time
Been thanked: 0
Contact:

Re: Pihole - "Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.

Unread post by storms » Mon Apr 15, 2019 7:15 am

Hello! thanks for the quick reply that did the trick!

also sorry for going off topic but we keep narrowing down the problem and we thing we have come to a conclusion:

PIDOF is not working without sudo. <-----

the dev says its possible that is something that the odroid team did. you guys have some ideas?

"Perhaps your operating system is preventing regular users from seeing other processes."
i find it weird being an UBUNTU problem since this is an fresh install.
i installed the ubuntu onto the emmc, (downloaded the image from the odroid website), locked down ssh, got the keys in and installed ufw, oh and added an user account...

edit:

Code: Select all

sudo adduser cunha sudo
[sudo] password for cunha:
The user `cunha' is already a member of `sudo'.
also tried:

Code: Select all

sudo usermod -a -G sudo cunha
and went ahead and

Code: Select all

visudo

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
%cunha  ALL=(ALL:ALL) ALL

storms
Posts: 5
Joined: Mon Jan 14, 2019 6:16 am
languages_spoken: english
Has thanked: 1 time
Been thanked: 0
Contact:

Re: Pihole - "Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.

Unread post by storms » Mon Apr 15, 2019 7:58 am

SOLVED IT (thanks IRC)

i totally forgot that in the fstab i was hiding the PID on the /PROC.
removed it and now even pihole works as it should!

User avatar
mad_ady
Posts: 5659
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 7 times
Been thanked: 13 times
Contact:

Re: [SOLVED] Pihole - "Sorry, user www-data is not allowed to execute "

Unread post by mad_ady » Mon Apr 15, 2019 6:34 pm

What do you mean you were hiding the pid on proc in fstab? Doesn't make sense to me...

storms
Posts: 5
Joined: Mon Jan 14, 2019 6:16 am
languages_spoken: english
Has thanked: 1 time
Been thanked: 0
Contact:

Re: [SOLVED] Pihole -

Unread post by storms » Mon Apr 15, 2019 10:11 pm

mad_ady wrote:
Mon Apr 15, 2019 6:34 pm
What do you mean you were hiding the pid on proc in fstab? Doesn't make sense to me...
hey, heres the setting the i had on the fstab:

Code: Select all

proc     /proc     proc     defaults,hidepid=2     0     0

User avatar
meveric
Posts: 9911
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1, N1, Go, N2
Has thanked: 1 time
Been thanked: 11 times
Contact:

Re: Pihole - "Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.

Unread post by meveric » Tue Apr 16, 2019 12:11 am

storms wrote:
Mon Apr 15, 2019 7:15 am
PIDOF is not working without sudo. <-----
Not sure about Ubuntu, but with Debian pidof works perfectly fine with regular user.
In fact I tested it with a Ubuntu VM and it's working on Ubuntu as well.
storms wrote:
Mon Apr 15, 2019 7:15 am
the dev says its possible that is something that the odroid team did. you guys have some ideas?
Unlikely. pidof has no restrictions, it's under /bin/ which is accessible by all users.
But then again, I don't know how HardKernel builds their images.
storms wrote:
Mon Apr 15, 2019 7:15 am
"Perhaps your operating system is preventing regular users from seeing other processes."
Still quite unlikely, I tested with a Ubuntu 18.04 VM and pidof works as regular user.
I also tried if pidof returns PIDs from applications not started by the user and that works fine as well.
storms wrote:
Mon Apr 15, 2019 7:15 am
i find it weird being an UBUNTU problem since this is an fresh install.
Please do not refer to this as a "fresh install", you did not install anything, you used (flashed) a pre-made image, that's a difference.
storms wrote:
Mon Apr 15, 2019 7:15 am
edit:

Code: Select all

sudo adduser cunha sudo
[sudo] password for cunha:
The user `cunha' is already a member of `sudo'.
This means the user is already part of the sudo group and can use the sudo command.
storms wrote:
Mon Apr 15, 2019 7:15 am
also tried:

Code: Select all

sudo usermod -a -G sudo cunha
This is the same as adduser, so no difference here
storms wrote:
Mon Apr 15, 2019 7:15 am
and went ahead and

Code: Select all

visudo

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
%cunha  ALL=(ALL:ALL) ALL
Which is quite useless, as the user is already part of the sudo group.
Also please note: you added the "group" cunah not the "user" cunah to your sudoers file, which is once again quite useless.

Also I'm really not sure what you try to achieve by doing this, you try very hard to allow the user cunah to use sudo, but what for?
And once again, only cause the user is allowed to USE sudo doesn't mean, each and every command you type in is run WITH sudo. It only allows the user to type the command "sudo" in front of other commands, nothing more, nothing less.
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.

Post Reply

Return to “Ubuntu”

Who is online

Users browsing this forum: No registered users and 2 guests