Exec binding with sudo

I want to run some exec command with sudo. But I can’t figure out which user i have to grant rights. I added
openhab ALL=NOPASSWD: ALL to visudo but I didn’t have any impact. Still can’t use sudo

If you installed openHAB using apt-get then you are running as the openhab user so adding it to visudo is the right way to go.

However, if your sudoers file has the following line, it is far better to create a new file in sudoers.d for each command you want to be able to execute without a password.

#includedir /etc/sudoers.d

Using sudo visudo -f commandName create a file. For example, I added openhab so it doesn’t require a password to start/stop a service through systemctl.

Command:

sudo visudo -f /etc/sudoers.d/systemctl

Contents:

openhab chimera = (root) NOPASSWD: /bin/systemctl

NOTE: chimera is the hostname of my machine.

Hello rlkoshak,

thanks for your answer. I added the line into /etc/sudoers.d/iphonedetect

openhab osmc-Nigel = (root) NOPASSWD: /etc/openhab/iphonedetect.sh

the content from iphonedetect.sh is currently

sudo echo “Abwesend”

Now when i set an item to

String sphone_christin “[%s]” (gMobiles) { exec="<[/etc/openhab/iphonedetect.sh:12000:REGEX((.*?))]"}

and the resulting content is

We trust you have received the usual lecture from the local System Administrator…

We have reached the end of my knowledge but it looks like the sudo command is asking for some sort of acknowledgement or something like that.

Did you put openhab in group sudo?

adduser openhab sudo should do it…

I checked it at home and yes I already did …

The user openhab' is already a member ofsudo’

maybe it’s an issue with osmc?

Okay finally got it. The openhab user needed to be changed in /etc/passwd from

openhab:x:109:113:openHAB runtime user,:/var/lib/openhab:/bin/false

to

openhab:x:109:113:openHAB runtime user,:/var/lib/openhab:/bin/bash

1 Like

Please I did as you said but nothing happen :((
Please show me how to fix this

You have to sudo once as user openhab manually, so that you can accept the agreement:

su openhab
#enter your password
sudo ls -l ~/

It doesn’t matter which command is sudoed :slight_smile:

Hi

The million dollar question is…

When OpenHab2 is installed on a Debian Linux system, what is the password for the created user ‘openhab’ ?

I’m trying to create two exec commands.

systemctl restart openhab2

and

reboot

Both require higher privileges than the normal user has.

Simple answer: There is no password for user openhab.

You have to use sudo.

  1. create your user (this is not openhab!). You have to be root to successfully create users. so
    su
    adduser username and answer the quesstions (you only need to set password and Full Name)
  2. Add user to sudoers by adding them to usergroup sudo
    adduser username sudo to permit sudo access for user <username>
  3. Login as user username.
  4. sudo reboot and type your password, set for user username Voilà. :slight_smile:

user openhab is not for common login, but only to execute openHAB2 (and all things, that openHAB2 will do)

Thanks Udo

I’m happy creating new users in Linux :wink:

The problem I have is that if I’m trying to get the OpenHab2 instance to run a exec command that requires authentication (for example “reboot”, “systemctl restart openhab2” or “shutdown -r now”) the output from the command suggests that an interactive authentication is required.

FYI, executing a command line script to restart the Velbus TCP server works perfectly.

What I think we are all asking is…

“How can the OpenHab2 instance, that is running under the username “openhab” run exec commands that require root privileges.”

Can the OpenHab2 instance be started by a user with root privileges or can the user openhab be granted root privileges?

Add the openhab user to the sudo group. Or edit the sudoers file using visudo.

Thanks Rich

I followed your very detailed topic.

I’ve rebooted manually and upgraded to the latest OpenHab2 snapshot version and I keep getting the same exec output text.

I’ve added sudo to the beginning of the command and now I’m getting this output

sudo : no tty present and no askpass program specified sudo : no tty present and no askpass program specified

It’s not a big deal.

I can live without this feature, or I’ll try the “old method” that is mentioned in your topic.

Many thanks,

Stuart

  1. You have to configure sudo (for user openhab) not to ask for password.
  2. you have to use sudo as user openhab once through the console, as sudo will once ask for the knowledge, that with great power comes great responsibility.

The first point can be covered by using visudo and add a line like that:

openhab    ALL=(ALL:ALL) NOPASSWD: /sbin/reboot, /sbin/poweroff

That will allow user openhab to use /sbin/reboot and /sbin/poweroff without typing a password. You have to use absolute paths, and it’s not a good idea to just allow all commands to be executed :wink:

the second point is a bit tricky, as openhab per default has no bash to login (for security reasons), so you have to force login:

sudo su -s /bin/bash openhab

sudo will ask you for yorur password (as openhab has none, and you can’t login without a password)
su will provide a login, using /bin/bash as console for user openhab. As su is started as user root, there will be no question about passwords.
Now you are logged in in a console as user openhab. just start sudo once:

sudo ls /

and sudo will give you a short message:

openhab@openhab2:/root$ sudo ls

Wir gehen davon aus, dass der lokale Systemadministrator Ihnen die
Regeln erklärt hat.  Normalerweise läuft es auf drei Regeln hinaus:

    #1) Respektieren Sie die Privatsphäre anderer.
    #2) Denken Sie nach, bevor Sie tippen.
    #3) Mit großer Macht kommt große Verantwortung.

[sudo] Passwort für openhab:

(Sorry, german version…)
In fact, you won’t be able to execute this command, as it’s not in the nopasswd list, but the message is sent once, and that’s all. Try

sudo /sbin/reboot

and see if it works as intended.

1 Like

:+1:

You can simply use sudo -u openhab /bin/bash. You don’t need the su.

Well, somewhere in there is the information I needed to get it to work.

Thank you gentlemen :smile:

There were a lot of occasions where the SSH session I was working in (as root) was giving out error messages.

What I can say…

I now have an exec binding command that appears to reboot my machine :slight_smile:

The exec binding command that worked is :-

sudo systemctl reboot -i

So that command, in combination with the sudoers configuration has worked.

Now I need to set the same feature up in two client’s machines.

Next stop is to try a similar command to get OpenHab2 to restart.

I will try

sudo systemctl restart openhab2 -i

The openhab restart command won’t work. The problem is when you run a command it runs in a shell. When you execute restart the shells opened by OH get terminated and any child process of those shells get terminated. Ultimately what happens in the restart command gets terminated before it has a chance to finish the restart of OH and OH never restarts. You need something outside of OH to restart the OH machine or restart the OH service.

1 Like

Excellent tip :smile:

I’ll forget trying to restart Openhab2 then :smile:

I’m a firm believer in the policy of “1 machine for 1 purpose”, so a reboot command will be more than enough.

FYI
Restarting VelServ is very rarely needed, so that is just a nice extra.

Thanks again for all your help.

You will have to use nohup…`I’m not sure though, where to place it…

nohup sudo systemctl restart openhab2

or

sudo nohup systemctl restart openhab2

?