I have a shell script I need to run. It is in /home/openhabian. And I have a keypair setup for passwordless SSH from the openhabian to a server. But, the exec binding uses the runtime user openhab, so it doesn’t have the keypair for SSH into the server.
I’ve been reading various threads about sudo with exec. But I don’t want to give openhab unfettered sudo rights. And there’s so many different long running threads about it, frankly I’m lost. So what do I need to do to allow the exec binding to run a script as user openhabian?
You have to use sudo 
Setup a line like this:
openhab ALL=(openhabian:openhabian) NOPASSWD: /home/openhabian/scriptname
in /etc/sudoers. But PLEASE, use visudo for this purpose, as it will ensure, that the file is correct after editing. Otherwise, you will maybe damage your system.
The line will allow the user openhab to call the script /home/openhabian/scriptname as user openhabian on ALL computer systems without using a password.
But of course it’s also possible to use a private key directly.
As the home directory of the user openhab is /var/lib/openhab2 by default, simply create a folder /var/lib/openhab2/.ssh, create the keys as user openhab (by using sudo -u openhab ...) and ensure the correct permission and ownership (755 for ./.ssh/, 600 for private key, 644 for public key, all owned by user and group openhab. Put the script to another path, which openhab is allowed to use.
2 Likes
This is what I needed. Working great now! Thanks.
