OpenHAB sudo [Exec Binding]

There are situations where you want to use the Exec Binding to trigger something. Sometimes you need the sudo privilege to do this. I would rather try some group specification to reduce the user rights to a minimum, but here is how i got openHAB to be able to execute sudo.

Try executing a command as openhab

sudo -u openhab sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for openhab:

As it is mentioned in this post there is no password.

So adding the user openhab to the sudoers with no password should help.

 sudo visudo -f /etc/sudoers.d/010_pi-nopasswd

Adding following lines

openhab ALL=(ALL) NOPASSWD: ALL

Executing the sudo command now should display following.
As it is explained here this execution is necessary. see further below for more information.

sudo -u openhab sudo -l
Matching Defaults entries for openhab on raspberrypi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User openhab may run the following commands on raspberrypi:
    (ALL) NOPASSWD: ALL

Testing it from within OpenHAB, build a setting like explaind here and replace the thing command with

sudo nano /etc/openhab2/things/exec.things
Thing exec:command:remote-send [
        command="sudo -l",
        interval=0,
        autorun=true]

Open the Karaf terminal execute the button on the page and follow the log

ssh -p 8101 openhab@localhost
Password:habopen
log:tail 
[INFO ] [marthome.event.ItemStateChangedEvent] - Remote_Send_Out changed from <xxx> to Matching Defaults entries for openhab on raspberrypi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User openhab may run the following commands on raspberrypi:
    (ALL) NOPASSWD: ALL

So running a sudo command works. It should be advised to restrict the user rights of openhab to the commands you want to use like this. Have a look here for a small introduction.

sudo visudo -f /etc/sudoers.d/010_pi-nopasswd
openhab ALL=(ALL) NOPASSWD: /path/to/file/to/execute/

If by any chance you see something like this

  sudo: no tty present and no askpass program specified 

in the log of OpenHAB you did not execute the sudo command for OpenHAB within a terminal as described above. I think as openhab is not enabled to login the first execution has to be done like explained or enabled by changing /bin/false to /bin/bash in /etc/passwd

sudo nano /etc/passwd
openhab:x:111:116:openhab2 runtime user,,,:/var/lib/openhab2:/bin/bash

As i´m just getting familiar with this topic this are just my thoughts. I would apriciate every amendment or improvement by the pro openHAB user.

As explain in following link, on an example for reading the GPU temperature from a RPI, it is advised to find out why the command you want to execute need root rights. Find out to which group you need to add openhab to, instead of granting openhab all possible rights.

12 Likes

:+1:

I think you covered most of it. My big topics to be sure are covered you hit:

  • use visudo
  • only give openhab NOPASSWD permissions on the few commands it actually needs to execute with sudo
  • use a file in sudoers.d rather than editing /etc/sudoers directly

Excellent tutorial! Thanks for the contribution!

2 Likes

Can someone tell me, how i can give sudoers-rights to user openhab only for the command “systemctl” ?

I want to start / stop / restart openhab service with a script from inside openhab.

This is my sudoers-file and it seems to work only partially:

Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot, /bin/systemctl
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get

openhab ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS

I think reboot works, but systemctl-commands don´t work. There i get still a passwort-promt.

My openhab-server runs on latest debian-version.

1 Like

I think systemctl is not the full command you would at least need a * wildcard to allow everything after systemctl. But I would question what I do, doing this.

Short googling:

Best would be to define every command from systemctl which you would like to execute. IMHO.

1 Like

Yes, that is right, i figured it out already.

I added this to first line of sudoers-file and now i can make openhab restarts. For start/stop i have to do the same.

/bin/systemctl restart openhab2.service
2 Likes

Hi halloween,

Can you post how you have defined your .items, .things and .sitemap file to get the restart button to work?

I have following in system.things:

Thing exec:command:openhab_restart [command="sudo systemctl restart openhab2.service", interval=0, autorun=true]

my system.items file:

Switch openhab_restart "Restart Openhab" {channel="exec:command:openhab_restart:run"}

and my system.sitemap:

Switch item=openhab_restart mappings=[ON="Restart"]

But when pressing the switch button on my sitemap nothing happens. Am I missing something?

1 Like

Edit the sudoers file and enable sudoing like described above.

Cmnd_Alias SHUTDOWN_CMDS = /bin/systemctl restart openhab2.service
openhab ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

you need the absolut path and it should work.

Thing exec:command:openhab_restart [command=“sudo /bin/systemctl restart openhab2.service”, interval=0, autorun=true]

Yes, that´s the right answer. You have to edit the sudoers-file also, to get this working.

Yep, got it working now. Thanks both!

Hi All

Can someone explain what im doing wrong?

I cant execute the backup switch for openhab-cli

this is my visudo file

openhab ALL=(ALL) NOPASSWD: /etc/openhab2/scripts/backup.sh, BACKUP
Cmnd_Alias BACKUP = /usr/bin/openhab-cli backup

here is what I run:

sudo -u openhab sudo openhab-cli backup /home/kris/OH2Backup.zip

But I keep getting a prompt:

sudo -u openhab sudo openhab-cli backup /home/kris/OH2Backup.zip
[sudo] password for openhab:
Sorry, try again.

Thanks!

Not to get off topic have you tried executing:

sudo -u openhab /usr/share/openhab2/runtime/bin/backup … ?

When I run the backup script I use: /usr/share/openhab2/runtime/bin/backup.

Wondering if the second sudo is causing you the issue.

Ok, I just looked, I believe you can use your command, but need to drop the second sudo.

I never understood what openhab-cli was until a few minutes ago when I looked at the source code. It looks as if the call to openhab-cli is merely a shortcut to execute certain commands. I always execute the commands directly so using the openhab-cli does not help me. Regardless, I would suggest dropping the second 'sudo"

sudo -u openhab openhab-cli backup /home/kris/OH2Backup.zip

No joy!


kris@openhab2:~$ sudo -u openhab openhab-cli backup /home/kris/OH2Backup.zip
[sudo] password for kris:

Sorry, I can’t help further as sudo not my expertise. I thought I remembered seeing something about the second sudo figured it was worth giving it a try.

Thanks! Ive tried quite a few times :frowning: and read a few articles. Not sure why its so difficult

1 Like

root@openhab2:/lib/systemd/system# sudo -u openhab /usr/share/openhab2/runtime/bin/backup /home/kris/OH2Backup.zip

#########################################
openHAB 2.x.x backup script
#########################################

Please run this script as root! (e.g. use sudo)
root@openhab2:/lib/systemd/system#

Even the full path fails! grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Just in case you messed up your sudoers by not using visudo as written in this manual, here is how to recover:

Do the first part of step 4 to mount filesystem as rw, and then fix your sudoers.

Step 5 isn’t necessary, you also can do that (after »exec /sbin/init«) with »sudo vim /boot/cmdline.txt«, so you save one SD card re-plug

looks like you corrupted your sudoers file possibly. I just modified mine and it all works fine. I was incorrrect you do need the second sudo in the command for what you are doing here. It is when you put it into the exec binding in a rules file I was thinking about one sudo. Sorry.

Here is what i did and it worked first try:

                Welcome to            __  _____    ____  _
            ____  ____  ___  ____  / / / /   |  / __ )(_)___ _____
           / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  / / __ `/ __ \
          / /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ / / /_/ / / / /
          \____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/_/\__,_/_/ /_/
              /_/
                  openHAB 2.4.0~M4-1 (Milestone Build)

[07:40:49] mullen@wifipi:~$ sudo visudo
[sudo] password for mullen:

***I added this to my sudoers file: ““openhab ALL=(ALL) NOPASSWD: ALL””
**Then I executed the openhab-cli command.


[07:43:39] mullen@wifipi:~$ sudo -u openhab sudo openhab-cli start

A systemd service configuration exists...
Use 'sudo /bin/systemctl start openhab2.service' to start an openHAB service
Launching an instance in this terminal..
Launching the openHAB runtime...




Kris is trying to test that the sudo works for the openhab user. He is logged in with the login user. So let’s assume he is logged in as openhabian.

If you break the command down:

  • sudo -u openhab : run the following command as the openhab user
  • sudo : I’m now the openhab user but I need to run the next command as root
  • openhab-cli backup /home/kris/OH2Backup.zip : I’m now root, run this command

Without the second sudo, the openhab-cli is being run as the openhab user which won’t work.

OP is trying to avoid essentially giving the openhab user full root access to everything. That is what that line does. The openhab user can now execute ANY command as root without password.

I think the Cmnd_Alias needs to go above the openhab line. Typically, stuff like that is only available from the line where it is defined and below, not above.

Simply login to a shell as user openhab:

sudo su -s /bin/bash openhab

with the leading sudo command, there will be no password request :slight_smile:

Now that you are logged in as user openhab, you are able to check if sudo works without password for user openhab.