executeCommandLine Permissions


I’m trying to execute a python script on a switch via executeCommandLine.


Switch ToggleSocket1 “Toggle Socket 1” (FrontRoom, SoftSwitches) {}


rule "Toggle Socket 1"
Item ToggleSocket1 changed to ON
var String command
logInfo("ToggleSocket1", "BEFORE")
val results = executeCommandLine("python /etc/openhab/configurations/scripts/Socket1Off.py", 5000)
logInfo("Exec", results)
  logInfo("ToggleSocket1", "AFTER")

and the output in the logs:

2016-04-09 20:14:42.730 [INFO ] [hab.model.script.ToggleSocket1] - BEFORE
2016-04-09 20:14:42.996 [INFO ] [org.openhab.model.script.Exec ] - Traceback (most recent call last):
File “/etc/openhab/configurations/scripts/Socket1Off.py”, line 11, in
GPIO.setup(11, GPIO.OUT)
RuntimeError: No access to /dev/mem. Try running as root!
2016-04-09 20:14:43.017 [INFO ] [hab.model.script.ToggleSocket1] - AFTER

So my question is how can I get openHAB to run this python file as root?!

Thanks for any help!

You need to get openHAB to run as root. Though before going that far, check the ownership and permissions on /dev/mem . You might be able to get away with adding the openhab user to the group that owns the file similarly to how we need to add openhab to the dailout group to interact with serial devices.

If that won’t work, you can change the user that OH runs as in /var/systemd/system/multi-user-target.wants/openhab.service (assuming you are running raspbian jessie or any other Linux that uses systemd

Here’s some information about another possible way to do it without running openhab as root (which is not a good idea). After reading the articles, google for similar instructions for your specific operating system variant.



Thanks for the advice.

I’ve changed the permissions to /dev/mem and added openhab as the owner:

crwxrwxrwx 1 openhab kmem 1, 1 Apr 10 14:32 /dev/mem

I’ve added openhab as a member of the group kmem:

openhab : openhab kmem dialout

and using visudo I’ve added openhab and the two files:

openhab ALL = (ALL) NOPASSWD: /etc/openhab/configurations/scripts/Socket1Off.py
openhab ALL = (ALL) NOPASSWD: /dev/mem

None of this works (I’ve rebooted OH a few times).

@rlkoshak you mention changing the user that OH runs as in /var/systemd/system/multi-user-target.wants/openhab.service. I’m using jessie and did the apt-get to install OH and it runs as a service but the folder systemd doesn’t exist in var. Could it be somewhere else or am I missing something?


My bad. I was in the middle of something else and transposed my thoughts.

It is /etc/systemd

However, I recommend following @steve1’s advice.

All that said, if you have changed the ownership of the files then it is not a permissions problem but something else.

Ah thanks found it. I changed the user from openhab to root and it worked. I’ll have to do some more investigating to try and work out why the other methods weren’t working…

When you say running as root is not a good idea what do you mean? Like OH could accidentally corrupt a system file or something? Is that a common occurrence? Or is it more I’ll do something wrong and have no “safety net”.

Here are some of the problems just off the top of my head:

  • From a security standpoint if someone compromises OH, they can do anything that OH can do. If OH is running as root the attacker now has root access to your machine. It is a best practice to always run services as a separate non-privileged, no-loginable user as this limits what an attacker can do even if they managed to compromise a system. If you plan on opening up OH for login over the Internet this is a must and bare minimum security measure.
  • Running as root, OH can do ANYTHING on your system. Lets ignore the case where OH itself just runs amock as unlikely. But OH automatically loads and executes rules files and with the Exec binding you can execute anything. So a careless command in a rules file, or someone who happens to have hacked into your system through some other means who may not have root now effectively does because they can just edit rules files and become root.
  • One common and useful way to create robust and fault tolerant systems is to provide as much separation between the software that makes up the system as is feasible. One way to do that is through the use of different users with different permissions.

So you might say to yourself “What do I care, I’m not some hacker’s target, I’m not putting this on the Internet, and I’ll be careful.” I can’t argue against that except to say that in general good security hygiene is a habit and as a habit you should be doing it even when no one is looking. If even half of the home automation/internet of things vendors paid half as much attention to this topic as I have in this one posting we would be in a whole lot better state.

Rich thanks for your detailed response. I’ve learnt a lot about linux and OH over the weekend thanks to yours and Steve responses and I appreciate you both taking the time. When I work out how to execute the python file without running as root I’ll update the thread.

Hi James,

did you found some usefull way?