Security limitations in 2.5.2 exec binding

It looks like the line end of the exec.whitelist file must be CRLF. LF did not work on my openhabian installation.

2 Likes

Notepad++ shows… LF for me, with LF on empty line below too

Same here for the exec transformation.
After converting the misc/exec.whitelist from LF to CRLF, the entered lines are recognized.

1 Like

Seems that the CRLF did the trick

To answer the original question:

As far as I can tell, wildcards are not supported.

I’m also having problems with the whitelist.
I have created the folder in /etc/openhab2/misc and the file in it, with CRLF endings, but it still says it is not contained in the whitelist, these are rather simple bash scripts mainly…

Ps.: I have changed the ending to LF and it started to work, even without a restart :slight_smile: funny…

2 Likes

How can I update this page to add the extra information?

And for clarity, what format does the exec.whitelist need?

Does it require a line feed after each command, or it is CSV style?

There is a link at the bottom of the page that will open the file in GitHub where you can edit and submit a PR. I’m pretty sure that link is working correctly again.

2 Likes

solved issue also for me. did this:

  1. created dir /etc/openhab2/misc
  2. created file exec.whitelist with nano and copied the commands from the log output into the file on linux with LF’s only -> did not work
  3. modified it with notepad++ to CRLF on each line -> did not work
  4. restarted OH system -> did not work
  5. replaced all CRLF again with LF only within notepad++ -> problem fixed :crazy_face:
1 Like

I had to reboot openHAB and then the white list error message returned. It worked before the reboot and I didn’t change anything else.

I then simply edited the white list in notepad++ and removed all LF symbols. Saved the new file and the exec command started working again.

I dont think the problem is with converting from CRLF to LF and back.

What needs to be done in order for the commands in exec.whitelist to be executed, at least that works for me(tried several times)

  • Shutdown openhab2

  • put your command in the exec.whitelist and ADD any character at the end and save. i.e.
    /usr/local/bin/command.sh %2$sX

  • start openhab

  • open exec.whitelist ( i did it with vi)

  • remove the extra character at the end and save.

suddenly the exec is able to execute again. This works until the next time you need to restart openhab2.
The same process needs to be repeated. Frankly its a bit of the PITA.

I don’t think you need to add and remove anything. Just save the file again after a restart. Depending on the editing tool maybe something needs to be added, anything, and immediately removed in order to force the editor to save.

So sequence is:

  • restart
  • save file, even if no changes are made

I did it with visual studio code this time as misc folder and whitelist are listed there. Its the quickest and easiest way for me to do the save.

The documentation doesn’t tell exactly where the file misc/exec.whitelist should be located.

Is it supposed to be $OPENHAB_CONF/misc/exec.whitelist ?

EDIT: it appears it is indeeed $OPENHAB_CONF/misc/exec.whitelist.

1 Like

For security reasons all commands need to be whitelisted. Allowed commands need to be added to the misc/exec.whitelist file in the configuration directory

That looks clear to me.

1 Like

I added my commands to $OPENHAB_CONF/misc/exec.whitelist but still get the warning “it is not contained in whitelist”. The openhab2 service was restartet after adding the commands to white list.
I use a hughe amount of commands (with different parameters).

I want to revert to version 2.5.1. There for i downgraded to openhab 2.5.1 with cleaning cache.
openhab-cli info returns Version: 2.5.1 (Build)
But in karaf console there is still the Exec binding 2.5.2.
How to revert to Exec binding 2.5.1?

1 Like

Just save the whitelist again. No need for any changes but a save must be done after restart.

1 Like

Do what happens for people that auto restart openhab2 once a month?

Do we now need to create something to touch the file after a restart?

2 Likes

I have the misc/exec.whitelist in OpenHAB’s conf directory and nothing of the above helped. Still I get the messages it’s not whitelisted and cannot (and is not) be executed.

That’s starting to become frustrating.

I experience the same issues. Nothing seems to work. Does anybody know where I can download the 2.5.1 version?

Getting in over my head here, but I see something strange even though it’s working for me. https://github.com/openhab/openhab-addons/blob/2.5.x/bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecWhitelistWatchService.java#L60

…has two messages, a warning and a debug messge. I never see the debug “Updated command whitelist”, even though I have done log:set DEBUG org.openhab.binding.exec.internal and log:set DEBUG org.openhab.binding.exec in the console. Is this the correct log setting to view the result of logger.debug("Updated command whitelist: {}", commandWhitelist);?

When I modify the file through vim, I always see “Cannot read whitelist file, exec binding commands won’t be processed” warning message on save.

I don’t see any message when I touch the file.

Having said that, it works for me; if I tweak a line in the file, I get the “…but it is not contained in whitelist” error message, and if I tweak it back to what it should be, it then works.

I don’t know if this is any sort of clue as to why it’s working for some and not others.

Edit: to clarify, I do have to touch the file after a restart for the whitelist to be loaded. I’ve setup a cron entry to do this every few mins for now. Couldn’t figure out a way with systemd unfortunately. A resolution for this would be helpful.