OpenHAB sudo [Exec Binding]

:+1:

I think you covered most of it. My big topics to be sure are covered you hit:

  • use visudo
  • only give openhab NOPASSWD permissions on the few commands it actually needs to execute with sudo
  • use a file in sudoers.d rather than editing /etc/sudoers directly

Excellent tutorial! Thanks for the contribution!

2 Likes

Can someone tell me, how i can give sudoers-rights to user openhab only for the command “systemctl” ?

I want to start / stop / restart openhab service with a script from inside openhab.

This is my sudoers-file and it seems to work only partially:

Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot, /bin/systemctl
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get

openhab ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS

I think reboot works, but systemctl-commands don´t work. There i get still a passwort-promt.

My openhab-server runs on latest debian-version.

1 Like

I think systemctl is not the full command you would at least need a * wildcard to allow everything after systemctl. But I would question what I do, doing this.

Short googling:

Best would be to define every command from systemctl which you would like to execute. IMHO.

1 Like

Yes, that is right, i figured it out already.

I added this to first line of sudoers-file and now i can make openhab restarts. For start/stop i have to do the same.

/bin/systemctl restart openhab2.service
2 Likes

Hi halloween,

Can you post how you have defined your .items, .things and .sitemap file to get the restart button to work?

I have following in system.things:

Thing exec:command:openhab_restart [command="sudo systemctl restart openhab2.service", interval=0, autorun=true]

my system.items file:

Switch openhab_restart "Restart Openhab" {channel="exec:command:openhab_restart:run"}

and my system.sitemap:

Switch item=openhab_restart mappings=[ON="Restart"]

But when pressing the switch button on my sitemap nothing happens. Am I missing something?

1 Like

Edit the sudoers file and enable sudoing like described above.

Cmnd_Alias SHUTDOWN_CMDS = /bin/systemctl restart openhab2.service
openhab ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

you need the absolut path and it should work.

Thing exec:command:openhab_restart [command=“sudo /bin/systemctl restart openhab2.service”, interval=0, autorun=true]

Yes, that´s the right answer. You have to edit the sudoers-file also, to get this working.

Yep, got it working now. Thanks both!

Hi All

Can someone explain what im doing wrong?

I cant execute the backup switch for openhab-cli

this is my visudo file

openhab ALL=(ALL) NOPASSWD: /etc/openhab2/scripts/backup.sh, BACKUP
Cmnd_Alias BACKUP = /usr/bin/openhab-cli backup

here is what I run:

sudo -u openhab sudo openhab-cli backup /home/kris/OH2Backup.zip

But I keep getting a prompt:

sudo -u openhab sudo openhab-cli backup /home/kris/OH2Backup.zip
[sudo] password for openhab:
Sorry, try again.

Thanks!

Not to get off topic have you tried executing:

sudo -u openhab /usr/share/openhab2/runtime/bin/backup … ?

When I run the backup script I use: /usr/share/openhab2/runtime/bin/backup.

Wondering if the second sudo is causing you the issue.

Ok, I just looked, I believe you can use your command, but need to drop the second sudo.

I never understood what openhab-cli was until a few minutes ago when I looked at the source code. It looks as if the call to openhab-cli is merely a shortcut to execute certain commands. I always execute the commands directly so using the openhab-cli does not help me. Regardless, I would suggest dropping the second 'sudo"

sudo -u openhab openhab-cli backup /home/kris/OH2Backup.zip

No joy!


kris@openhab2:~$ sudo -u openhab openhab-cli backup /home/kris/OH2Backup.zip
[sudo] password for kris:

Sorry, I can’t help further as sudo not my expertise. I thought I remembered seeing something about the second sudo figured it was worth giving it a try.

Thanks! Ive tried quite a few times :frowning: and read a few articles. Not sure why its so difficult

1 Like

root@openhab2:/lib/systemd/system# sudo -u openhab /usr/share/openhab2/runtime/bin/backup /home/kris/OH2Backup.zip

#########################################
openHAB 2.x.x backup script
#########################################

Please run this script as root! (e.g. use sudo)
root@openhab2:/lib/systemd/system#

Even the full path fails! grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Just in case you messed up your sudoers by not using visudo as written in this manual, here is how to recover:

Do the first part of step 4 to mount filesystem as rw, and then fix your sudoers.

Step 5 isn’t necessary, you also can do that (after »exec /sbin/init«) with »sudo vim /boot/cmdline.txt«, so you save one SD card re-plug

looks like you corrupted your sudoers file possibly. I just modified mine and it all works fine. I was incorrrect you do need the second sudo in the command for what you are doing here. It is when you put it into the exec binding in a rules file I was thinking about one sudo. Sorry.

Here is what i did and it worked first try:

                Welcome to            __  _____    ____  _
            ____  ____  ___  ____  / / / /   |  / __ )(_)___ _____
           / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  / / __ `/ __ \
          / /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ / / /_/ / / / /
          \____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/_/\__,_/_/ /_/
              /_/
                  openHAB 2.4.0~M4-1 (Milestone Build)

[07:40:49] mullen@wifipi:~$ sudo visudo
[sudo] password for mullen:

***I added this to my sudoers file: ““openhab ALL=(ALL) NOPASSWD: ALL””
**Then I executed the openhab-cli command.


[07:43:39] mullen@wifipi:~$ sudo -u openhab sudo openhab-cli start

A systemd service configuration exists...
Use 'sudo /bin/systemctl start openhab2.service' to start an openHAB service
Launching an instance in this terminal..
Launching the openHAB runtime...




Kris is trying to test that the sudo works for the openhab user. He is logged in with the login user. So let’s assume he is logged in as openhabian.

If you break the command down:

  • sudo -u openhab : run the following command as the openhab user
  • sudo : I’m now the openhab user but I need to run the next command as root
  • openhab-cli backup /home/kris/OH2Backup.zip : I’m now root, run this command

Without the second sudo, the openhab-cli is being run as the openhab user which won’t work.

OP is trying to avoid essentially giving the openhab user full root access to everything. That is what that line does. The openhab user can now execute ANY command as root without password.

I think the Cmnd_Alias needs to go above the openhab line. Typically, stuff like that is only available from the line where it is defined and below, not above.

Simply login to a shell as user openhab:

sudo su -s /bin/bash openhab

with the leading sudo command, there will be no password request :slight_smile:

Now that you are logged in as user openhab, you are able to check if sudo works without password for user openhab.

Openhab doesnt have rights, after logging in as suggested by Udo


openhab@openhab2:/lib/systemd/system$ openhab-cli backup /home/kris/OH2Backup.zip


#########################################
       openHAB 2.x.x backup script
#########################################

Please run this script as root! (e.g. use sudo)
openhab@openhab2:/lib/systemd/system$