Package Details: pi-hole-ftl 4.3.1-5

Git Clone URL: https://aur.archlinux.org/pi-hole-ftl.git (read-only, click to copy)
Package Base: pi-hole-ftl
Description: The Pi-hole FTL engine
Upstream URL: https://github.com/pi-hole/FTL
Licenses: EUPL-1.1
Conflicts: dnsmasq
Provides: dnsmasq
Submitter: max.bra
Maintainer: max.bra (graysky)
Last Packager: max.bra
Votes: 28
Popularity: 0.51
First Submitted: 2017-05-07 15:23
Last Updated: 2019-10-07 09:30

Required by (65)

Sources (9)

Pinned Comments

max.bra commented on 2019-10-14 15:45

Since switching to pihole user for pihole-FTL - long term data is not retained on my machine.

sir_randomuser said: For some reason account http has expired, which was the root cause. Seems to be due to a recent systemd change: https://bugs.archlinux.org/task/63704
Checking /etc/shadow, the user http had a trailing 1:

$ sudo cat /etc/shadow | grep http
http:!!:18174::::::1:

Removing the expiration date has resolved it:

$ sudo chage --expiredate -1 http

max.bra commented on 2018-02-09 16:46

ArchLinux Pi-hole is not officially supported by Pi-hole project. In case of bugs and malfunctions please DO NOT file a report upstream.

First of all check if the wiki (https://wiki.archlinux.org/index.php/Pi-hole) can help then ask here for assistance and tips.
When it will be excluded that the problem does not depend on ArchLinux we will file a bug upstream.

Latest Comments

1 2 3 4 5 6 ... Next › Last »

graysky commented on 2019-12-24 20:52

@peacey - You probably want to add that to the wiki... I switched over the lighttpd to circumvent.

graysky commented on 2019-12-13 18:52

@peacey - Thank you... I opened an issue upstream referencing your post: https://github.com/pi-hole/pi-hole/issues/3039

peacey commented on 2019-12-13 18:43

@graysky, the problem is the latest version of php-fpm has a systemd service file that adds restrictions in order to sandbox processes better (no elevated permissions with sudo, read-only file system, etc). These restrictions interfere with PiHole because the PiHole web files need access to sudo and a writable /etc to run the pihole executable to get status and enable/disable from the web (which is also broken now).

Solution is to add an override to php-fpm.service and allow certain capabilities that PiHole needs. Run "sudo systemctl edit php-fpm.service" and copy the following,

[Service]
# Only set /usr and /boot to read-only, set /etc to read-write
ProtectSystem=true
# Allow for privilege escalation of child processes, needed to use sudo in php scripts
NoNewPrivileges=false
# Add needed capabilities
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_KILL

Then restart php-fpm service. CAP_SYS_RESOURCE is for using sudo properly (need access to setrlimit), CAP_DAC_OVERRIDE is for allowing change to files that aren't owned by calling process with sudo, and CAP_KILL is so the pihole web app can disable itself by killing the pihole-ftl process.

It seems to me there are glaring security implications by doing these changes, so do this at your own risk. But the way pihole is written where the PHP script needs access to run sudo, I don't see how else it would be possible. PiHole needs to update their PHP script to use an external daemon that doesn't require sudo to call it but uses some type of internal authentication instead.

Edit: Also, next version of php-fpm, 7.4.1, is removing the CapabilityBoundingSet restrictions and NoNewPrivileges, but it still has ProtectSystem set to full (read-only /etc). So you'll probably still need the first override with the next update. See https://bugs.archlinux.org/task/64781?project=1&string=php-fpm and https://github.com/php/php-src/blob/PHP-7.4.1/sapi/fpm/php-fpm.service.in.

graysky commented on 2019-12-01 22:13

@max.bra - Upon updating to php 7.4.0-2 I no longer see an "Active/Green Circle" status in the upper left of the web GUI. I see an "Unknown/Orange Circle" although pi-hole seems to behave normally. Using nginx. Any thoughts are welcomed.

EDIT: downgrading to php-fpm-7.3.12-1 and php-sqlite-7.3.12-1 fixed the behavior.

max.bra commented on 2019-10-24 13:20

hi HC6505, no that line is not working at all. on first install that line is executed before systemd user creation hook and user pihole is not yet existent.
theoretically the db should be created (if missing) by pihole-FTL on starting and since it is running as user pihole should create it with that owner.

HC6505 commented on 2019-10-24 10:39

pi-hole-ftl 4.3.1-5

In the build file pi-hole-ftl.install

post_install() {

ftl DB permissions
[ -e /etc/pihole/pihole-FTL.db ] && chown pihole.pihole /etc/pihole /etc/pihole/pihole-FTL.db

Shouldn't the last line not be uncommented? After doing it the /etc/pihole/pihole-FTL.db is now being populated

max.bra commented on 2019-10-14 15:45

Since switching to pihole user for pihole-FTL - long term data is not retained on my machine.

sir_randomuser said: For some reason account http has expired, which was the root cause. Seems to be due to a recent systemd change: https://bugs.archlinux.org/task/63704
Checking /etc/shadow, the user http had a trailing 1:

$ sudo cat /etc/shadow | grep http
http:!!:18174::::::1:

Removing the expiration date has resolved it:

$ sudo chage --expiredate -1 http

sir_randomuser commented on 2019-10-11 18:24

UPD 2: I was able to resolve the problem. For some reason account http has expired, which was the root cause. Seems to be due to a recent systemd change: https://bugs.archlinux.org/task/63704

Oct 11 16:29:29 asgard systemd[1]: Started Lighttpd Web Server.
Oct 11 16:29:29 asgard lighttpd-angel[7108]: 2019-10-11 16:29:29: (server.c.1521) server started (lighttpd/1.4.54)
Oct 11 16:29:32 asgard sudo[7125]: pam_unix(sudo:account): account http has expired (account expired)
Oct 11 16:29:32 asgard sudo[7125]:     http : Account expired or PAM config lacks an "account" section for sudo, contact your system administrator ; TTY=unknown ; PWD=/s>

Checking /etc/shadow, the user http had a trailing 1:

$ sudo cat /etc/shadow | grep http
http:!!:18174::::::1:

Removing the expiration date has resolved it:

$ sudo chage --expiredate -1 http

+----------------------------------------------------------+

UPD: I've also tried to download snapshots and build via makepkg instead of using YAY.. alas, did not make any difference.

Since switching to pihole user for pihole-FTL - long term data is not retained on my machine. I've tried to re-install both the pi-hole-server and pi-hole-ftl packages - deleting the following before re-installing:

/etc/pihole/
/run/pihole
/run/log/pihole/
/run/log/pihole-ftl/
/etc/dnsmasq.d/01-pihole*

Web interface shows "Status: Unknown", however pihole -c shows status as "Active". Not sure what exactly is the root cause. Any suggestions as to what else I should check?

  Hostname: asgard             (Arch  )
    Uptime: 00:16:23                                                                 
 Task Load: 0.25 0.28 0.35     (Active: 2 of 99 tasks)
 CPU usage: 1%                 (4x 1.4 GHz @ 322k)
 RAM usage: 9%                 (Used: 628 MB of 7 GB)
 HDD usage: 22%                (Used: 10 GB of 48 GB)
  LAN addr: xxx.xxx.x.xxx      (Gateway: xxx.xxx.x.x)
   Pi-hole: Active             (Blocking: 113432 sites)
 Ads Today: 11%                (Total: 19 of 179)
Local Qrys: 28%                (2 DNS servers)

pepper_chico commented on 2019-10-07 14:37

@max.bra asked at https://archlinuxarm.org/forum/viewtopic.php?f=9&t=14035

max.bra commented on 2019-10-07 14:20

so, i.MX6... at the moment i don't have any other clue. Maybe you can ask to the archarm devs about ambient capabilities state?