Execution of script via executeCommandLine requiring password via terminal

1

Dear all

trying to automate a script via a rule and executeCommandLine:

rule "Refresh"
when
   	Time cron "0 16 5 * * ? *"
then
	var ScriptResponse = executeCommandLine(Duration.ofSeconds(60), "/home/openhabian/oh-bkup.sh")
end

and the script:

#!/bin/bash
sudo rm /var/lib/openhab/backups/*.zip
sudo rm /home/openhabian/myNAS/*.zip
sudo openhab-cli backup --full
echo Uploading backup to NAS
sudo cp /var/lib/openhab/backups/*.zip /home/openhabian/myNAS

where I assigned following access rights to oh-bkup.sh:

sudo chown openhab:openhab oh-bkup.sh
sudo chmod 777 oh-bkup.sh

However I get following message from ScriptResponse:

sudo: a terminal is required to read the password; either use the -S option to read class="afterFrom marked"> from standard input or configure an askpass helper
sudo: a password is required

Can anybody help me on this? Thanks in advance

2

try

/usr/share/openhab/runtime/bin/backup --full

And you need to provide a password for sudo.
One solution is to add your script to the sudoers:

visudo -f /etc/sudoers.d/myoverride

then add this line:

openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh
3

but without the leading slashes

openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh

Afterwards do

sudo su -s /bin/bash openhab

to get a shell as user openhab.

then run your command to test if it runs

/home/openhabian/oh-bkup.sh
4

thanks. I edited my post to make it bullet proof.

5

@Wolfgang_S and @Oliver2 : Thank you ver much for your help… I am only now able to relpy as I was abroad…
I’m not sure if I fully understand what I need to do, I am correct that I only change

rule "Refresh"
when
   	Time cron "0 16 5 * * ? *"
then
	var ScriptResponse = executeCommandLine(Duration.ofSeconds(60), "/home/openhabian/oh-bkup.sh")
end

to

rule "Refresh"
when
   	Time cron "0 16 5 * * ? *"
then
	var ScriptResponse = executeCommandLine(Duration.ofSeconds(60), "openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh")
end

and then I test it with:

sudo su -s /bin/bash openhab
/home/openhabian/oh-bkup.sh

correct?

thanks again for the help

6

No. Not exactly.

openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh

needs to be added in the sudoers file. Not in the rule.
@Oliver2 described how to do that using visudo.

7

@Wolfgang_S : thank you for the hint again…

However, it seems that I’m too stupid to succeed on this. So what I did was:

  1. sudo visudo -f /etc/sudoers.d/myoverride: an editor is opening with no entries.
  2. I add openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh as only line
  3. I save the file
  4. I open shell with sudo su -s /bin/bash openhab
  5. I enter /home/openhabian/oh-bkup.sh

Then following appears:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for openhab:

None of my passwords works… and anyway I would expect that script is executed without asking for a password.

Sorry I’m somehow lost

8

using sudoers file is probably the better way here, but just to provide an alternative, you could use key-based authentication and copy it over ssh (e.g. using scp or rsync).

It’s silly to do it this way on the same host though, but it is nevertheless an alternative. However I’m guessing your NAS is a mounted directory of a remote NAS? If it supports ssh, then you could scp / rsync directly to it rather than to the mounted directory.

If your sudoers file isn’t working - do the usual linux troubleshooting, i.e. nothing to do with openhab. Check file ownership and file mode. Use debug / verbose mode, check logs, etc.

9

login with user openhabian and run

sudo /home/openhabian/oh-bkup.sh

If the script is not executing you have forgotten to flag it as executable:

sudo chmod +x /home/openhabian/oh-bkup.sh
10

@Oliver2 thanks again for the help.

when entering

sudo /home/openhabian/oh-bkup.sh

it executes the script. However, first I have to enter the password for sudo. When executing the script via the rule I still get this message in the log (i.e. requiring password)

sudo: a terminal is required to read the password; either use the -S option to read class="afterFrom marked"> from standard input or configure an askpass helper
sudo: a password is required
11

Sorry, I just saw that we added only the openhab user to the sudoers, that‘s why you are still asked for a password.

You also need to change the command in your openhab script to

var ScriptResponse = executeCommandLine(Duration.ofSeconds(60), "sudo", "/home/openhabian/oh-bkup.sh")

in case it does not work, please post the output of:

sudo cat /etc/sudoers.d/myoverride
12

Well, there are sudo commands inside of the script thus that one in executeCommandLine is not required … but could be a replacement.

13

@Oliver2 and @Wolfgang_S : Thank you very much for your help, I don’t understand your magic but i can say that it works now. What have I done:

  1. edited rule to: var ScriptResponse = executeCommandLine(Duration.ofSeconds(60), "sudo", "/home/openhabian/oh-bkup.sh")

  2. Removed sudo in script:

#!/bin/bash
rm /var/lib/openhab/backups/*.zip
rm /home/openhabian/myNAS/*.zip
openhab-cli backup --full
echo Uploading backup to NAS
cp /var/lib/openhab/backups/*.zip /home/openhabian/myNAS

Last question. If I have to newly set-up the system at some point, do I still need to:

visudo -f /etc/sudoers.d/myoverride

and add this line:

openhab ALL= NOPASSWD: /home/openhabian/oh-bkup.sh
14

It is not magic. Short explanation:
The line you added to visudo does the following: From now on if you run sudo it looks up myoverride file and checks if it finds a match of

  • user (openhab in our case)
  • command (oh-bkup.sh in our case)

If it matches, sudo does not ask for a password. Could be regarded as a security issue if someone gets write access to that sh-script. He could do almost anything now without being asked for a password.

executeCommandline just needed to be configured correctly (sudo oh-bkup.sh) so that the entire script will be run under sudo (and without password).

If you reinstall openhab, no, you don’t need to do these changes
If you flash a new image, then certainly yes.