That’s excellent advice.
Thanks
That’s excellent advice.
Thanks
Help I don’t understand where the problem is
I have such a thing
Thing exec:command:apc [command="cat /sys/class/thermal/thermal_zone0/temp", interval=15, timeout=5, autorun=false]
I followed the instructions given here
so I have a file /etc/openhab2/misc/exec.whitelist like
cat /sys/class/thermal/thermal_zone0/temp
I emptied OpenHAB, emptied the caches and relaunched Openhab
but I still get the following error:
12:39:31.975 [WARN ] [ing.exec.internal.handler.ExecHandler] - Tried to execute 'cat /sys/class/thermal/thermal_zone0/temp', but it is not contained in whitelist.
help me because i don’t understand
Thank’s
So now you need to touch or resave the whitelist file while openHAB is running.
I tried as above: I first modified the exec.whitelist file while openHAB was running and I still got the error “is not contained in whitelist” I then deleted it and re-created with openHAB which worked and always the same !!!
Heres my full understanding and solution (on a Linux system… with a suggestion for Windows machines).
All the exec commands and bits like that in your RULES files, should run absolutely fine WITHOUT having to add anything to the whitelist file… to repeat…ONLY the THINGS exec commands need to be added.
And YES you do put the FULL command in… not just the path the executable. So for example, in my exec.whitelist, I have
/bin/nc -v -z -w 1 192.168.1.101 9295
as one of my lines, which is an exact match for what is listed in the Thing exec command line.
I was able to copy/paste line by line my commands into this new file and save it (ctrl+o), which the file then worked great!!
rule "exec whitelist workaround"
when
System started
then
executeCommandLine("/bin/touch /etc/openhab2/misc/exec.whitelist")
end
WINDOWS/Linux - Obviously, you can only use touch on Linux systems, you might… on a WINDOWS machine be able to make a batch file that runs on boot to copy a copy of the exec.whitelist over the top of the exec.whitelist file e.g. Make a copy of your exec.whitelist and call it exec.whitelist.boot and then have a batch file that does copy exec.whitelist.boot exec.whitelist (in your misc folder location) or something like that… though I dont run Openhab on a windows system, so I cant test.
Its suggested to allow your Openhab user account to take control of the file. Assuming the user account your Openhab installation is using, is called “openhab” you would do something along the following lines:
sudo chown openhab exec.whitelist
or
sudo chown -R openhab:openhab /etc/openhab2/
to ensure that permissions are flushed onto the file or the entire folder structure. Of course, your path to the folders/files may be something different than /etc/openhab2 … so change things where necessary.
You do still get 1 or 2 “Tried to execute XXXXXXXXXX but it is not contained in whitelist” on system startup… but thats about it… and you will see the “executed commandLine ‘/bin/touch /etc/openhab2/misc/exec.whitelist’” appear in the log files, then the errors will go away.
After doing all that, my system is working fine with exec commands.
Hope that helps someone!
So the touch trick after the restart was working for a while.
But now it allows the execution of ONE command only and ignores the rest.
No logs are generated… WTF!
Also, noticed that with this upgrade the memebr upgrade/ received update rules are compeltely ignore
Member of gXXXXXX received update
Frankly, thats the worst update I have ever experienced in 2 years of using OH.
I think as people pointed out before on here and in other posts (as well as mine) there is some kind of formatting issue with that file and how Openhab is parsing the file.
Not sure if you want to try (or did) what I suggested in step 4 of my above post and use Nano to create the file in entirety (not just edit an existing file, as it may be the wrong text encoding type in some way… though I think mine is UTF-8 without BOM).
My whitelist is renaming stable so far, with all commands running ok… though I did use Nano to create the file.
I tried more or less EVERTHING suggested above. NOTHING works, all exec commands are still rejected. I’ve put EXACTLY the string from the log into the whitelist, it did not work. I touched the whitelist while openHAB was running, no luck. Changed from CRLF to LF and back, no luck.
Checked file and folder permissions and such, did not help.
As stated above, the WORST update experience ever. And I did not even update on purpose, just stopped openHAB, cleared cache and temp (for other reasons) and started again. And to my surprise I got an non-working exec binding! Thank you very much
At least there is no supposed security risk anymore. Absolutely NOTHING is executed, so there’s no security risk
I don’t think you can blame others for that.
To fix after trying everything above, openhab didn’t have access to the whitelist file. Not sure if that was mentioned here or not, but I did the following which resolved for me:
sudo chown openhab exec.whitelist
You probably enabled remote downloads for your addons so on (re)start you got the latest version installed so OH just did what you told it to.
Yes, if it’s the setting in PaperUI under “Configuration > System > Access Remote Repository”. The description says “Defines whether openHAB should access the remote repository for add-on installation.” I would not expect this to install a NEW version of an add-on just by clearing the cache and tmp-folders and restarting openHAB. But I would have upgraded to 2.5.2 anyway, so I don’t really blame anyone for this.
The fact is that the current state of this whitelist seems to be somewhat broken if so many people have problems with it. The biggest problem is probably that the binding does not log anything out of the box about the whitelist file itself, if it can find the file (or not), if it can read it (or not) and so on. It just tells later when a script should be executed that it cannot find the script in the whitelist.
And in my case the script to be executed really is in the whitelist, but I have no idea if the whitelist was ever found and read…
@ewrw - Thanks for this. I created the exec.whitelist file with nano adding in all commands from
grep ‘command":’ /var/lib/openhab2/jsondb/org.eclipse.smarthome.core.thing.Thing.json
I had to make the /etc/openhab2/misc folder so also ran
chown -R openhab:openhab /etc/openhab2/
I have added the touch rule exactly as you have listed it. Restarted openhab and watched it touch the whitelist. Previously without the whitelist touch rule the exec commands would fail to work dispite the whitelist being present.
With your touch whitelist rule it all works again.
Thanks for your efforts.
Good work!!
Ill add that onto the list of possibles!!
Painful as it might be… Id be temped to backup your config to a ZIP with the Openhab Backup utility (link below).
Uninstall the Opehnab installation with whatever package manager your system has (Logged in as the Openhab user account you are using). Then reinstall it, which should reset/flush all file level permissions on the folders. (should take about 5 to 15 minutes depending on your devices speed).
Then restore the backup which takes about 3 minutes… reboot… and possibly re-create the whitelist if it doesnt work.
Mind you, my experience of doing this that on the 1st boot of Openhab, it takes a while to download/install any other add-ons/bindings… or shift them around in the folders… so whilst you may be able to see the Openhab interface etc… it might take it another 10 minutes before all is working… at least… my MQTT bits didnt work for 10 minutes or so on 1st boot… but have been perfect since, including on reboots.
That would be my attack method at least… Its a bit aggressive, but should get everything back to square one, and if it still doesnt work after that… I think you need to get the devs to take a look.
Thanks
Will
I had the same problem with the new security issue on exec binding. Creating and editing with nano on my raspberry pi didn’t helped, i tried all your suggestions. After some hours of sleep i just started Visual Studio Code on my windows system to edit some files. There i also opened the exec.whitelist and created all new with exact the same spelling. And now it works, magic!
Thanks for the updates on OH system security.
A nice touch in the Openhabian script that runs the update would be to notify the user on exit that he/she should go off and read the docs about exec.whitelist including a link.
Better than finding things don’t work and having to trawl through logs and forums for solutions.
Sorry if its the wrong place. But still got big problems with exec-Binding since last update.
I read all threads. What I did:
Result:
Still got errors command not in whitelist, In openhab2.log nowhere seen whitelist had been loaded.
Tried:
Touch exec.whitelist while openhab2 running ==> Same result
Tried to restart openhab2, touch file while openhab2 running => Same result
Restarted Server, touch file, restart openhab, touch again, Command touch in Startup-Rule ==> Same result.
Looks like the whitelist never got loaded. I checked Filenames and everything hundred of times, but its all exactly like in Threads here.
Anybody an idea what to do or how to find out where the failure is?
As there have been changes, please be specific about version of exec binding.