File permissions issues on Raspian

Hi !

I’ve just started playing with OpenHab and I love it ! Thanks so much to the community behind it !

I’ve been able to setup my system correctly (I think), I can now control my Insteon devices and my Nest remotely (and I’m working on adding support for my alarm system via AD2PI).

The only problem I have right now is with the file permissions… By default everything belongs to the openhab:openhab user/group, but as I’m not login as this user I need to ‘sudo’ to edit the files via Vim, which seems wrong :). I’ve tried changing the ownership of /etc/openhab/configurations and updating the USER_AND_GROUP value in /etc/default/openhab to my username/group (my user belongs to the openhab group) but when I do this OpenHab fail to start :frowning: , (i.e. it’s not listed in ‘ps -A | grep openhab’ and the nothing get appended to the log).

What’s your usual approach to fix this ?

Thanks ! And sorry if it has already been posted ! I don’t mind writing a small tutorial to add to the official documentation once I’ve fixed this !

When installed via apt-get, openHAB runs as the openhab user so that user needs permission to read the config files. There is a script that runs when OH is started that reset all the permissions of the config files before OH starts. So if you updated the USER_AND_GROUP the setpermissions script may not be smart enough to change everything to those values rather than openhab:openhab.

NOTE: Just because your user is a member of the openhab group doesn’t mean any other member of the openhab group can read a file unless that file has read permissions for the openhab group. If you ls -l and the word after your username is not “openhab” members of the openhab group will not be able to read that file.

Why does this seem wrong? openHAB is a service which runs as a separate and non-privileged user (i.e. you can’t log in as openhab) for security reasons. So, as with any other service that runs on Linux and keeps its configs in /etc, openHAB requires you to sudo before editing its files. This is a standard approach and from a security perspective highly recommended.

Consider this scenario. openHAB has an Exec binding which can run any command on your system. By essentially requiring root to edit the files you make it much harder for other users of the system or attackers from simply injecting malicious commands into the openHAB configuration by simply editing a file.

It is a really bad idea to run a service as your user, particularly if your service is accessible outside of the machine upon which it runs. If someone were to compromise this server they would have the ability to do anything that that user can do. By running openHAB with a limited user, even if it were compromised what the attacker can do is limited because the openhab user doesn’t even have a shell to break out into.

In my opinion, this is not something to be fixed. Requiring sudo is openHAB working as designed and requiring sudo is a good thing.

I use Designer and I start Designer using sudo. When I need to edit files using vi, I use sudo. It really isn’t that big of a burden and from a security standpoint it is the correct way. If I were really anal I you start Designer or vi using sudo runuser -l openhab -c 'vi <filename>', but that is probably overkill.

If you disagree (you are wrong but that’s your right :wink: ), you can do a manual install of OH and use which will cause openHAB to run as your user. For all the previous mentioned reasons I don’t recommend this but it is an option.