Comment on My stupidity saved me from being hacked today!
haui_lemmy@lemmy.giftedmc.com 10 months agoImo we are all constantly learning. Otherwise we stagnate. What I say makes perfect sense, you just dont get it. So let me explain it again, in more detail:
I was going through my docker compose files to sanitize them and upload them to my private forgejo instance.
While doing that I found a directory in my filesystem, a remnant of the early days of my server where my knowledge was severely more limited, that was a docker volume mapped to a regular directory, something I wouldnt do today for something like this.
It was owned by root:root and had 777 permissions which is a bad idea imo. So I changed it to 700 since I dont think I had any other users in group root and others, well.
Nothing bad happened, until today when my unattended backups triggered a restart at noon and the tragedy started. I put it back for now to 777 but I‘ll try and integrate it in a real docker volume which resides in the docker folders.
Auli@lemmy.ca 10 months ago
Well I’m running Pinole in docker and don’t have 777 on anything.
haui_lemmy@lemmy.giftedmc.com 10 months ago
Good for you. What permissions do you have on etc/dnsmasq.d if I may ask?
domi@lemmy.secnd.me 10 months ago
I don’t run Pi-hole but quickly peeking into the container (
docker run -it --rm --entrypoint /bin/sh pihole/pihole:latest) the folder and files belong to root with the permissions being 755 for the folder and 644 for the files.chmod 700most likely killed Pi-hole because a service that is not running as root will be accessing those config files and you removed their read access.Also, I’m with the guys above. Never
chmod 777anything, period. In 99.9% of cases there’s a better way.haui_lemmy@lemmy.giftedmc.com 10 months ago
Thanks for checking that. I will change the permissions accordingly and restart pihole to check if it works. Probably later today.