yes , under visudo
openhab ALL=(ALL) NOPASSWD: ALL
As said, that suggests your rule may not be running. Why not find out?
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
logInfo("exectest", "rule triggered")
...
Thinking on it, another possibility for failing to get to the other logInfo is that the script call never returns.
You should add a timeout to your call, so it cannot wait forever.
var result = executeCommandLine("sudo ... halt" , 5000)
This is always a good idea, in any circumstance.
thanks rossko, now I get this
19:54:19.089 [INFO ] [lipse.smarthome.model.script.exectest] - results- sudo: sorry, you must have a tty to run sudo
edit: turn of requiretty in the visudo has removed that error… still not working, but getting closer
I’ve no idea, but wanting a tty suggests to me that the underlying reason is that it wants a password.
which is odd given visudo is correct
You seem to have been around a lot of this area before. This is sort of related, regarding two sudo for different users.
Yeah this is different in that im executing a command as openhab, but logging in as another user. This is non interactive. Different to the example in the link youve posted
Why do you run the ssh command using sudo (sudo ssh ....)? There should be no need to do so. The ssh client is executed on your local openHab node, not on the pfsense node.
When generating the private/pub keys, were you logged in as user openhab?
Unless you run openHAB as user root (which you shouldn’t), this will not work. Normally, openHab will run as user openhab so you will need to generate the private/public key pair as user openhab (at least that is the easiest way to do it since they will then end up in the correct home directory). If your running openhabian, then the home directory for the openhab user is not /home/openhab/…
The way works … because root has the ssh-keys & user openhab have access to sudo
I’m going to quote Rich here:
Anyone reading this who cannot ‘guess the rest’ should not follow the advise given in this thread. Anyone who can ‘guess the rest’ will understand that he/she should not follow the advise given in this thread.
I think marcel was correct to post that quote.
The whole idea of computer security is defense in depth. Why don’t we just run everything as root all the time? Why don’t we just log in as root instead of needing to sudo all the time? Why is there a a firewall on the host machine? Why are there file permissions?
It’s ALL to make it more difficult for an attacker to compromise a machine and to limit what they can do on a given machine if they are successful.
When you give the openhab user no password permission to run all commands, you may as well just run openHAB as root. When you run openHAB as root, if someone compromises the machine or compromises your account on myopenhab.org, they can literally do anything on your machine.
So no, the need to protect and limit what the openhab user can do is not limited to just those who expose their OH to the internet. That quote is applicable here as well as to the other thread. It’s a bad idea to give openHAB blanket sudo permissions. It’s a bad idea to run openHAB as root. And honestly, IMHO, it’s a bad idea to install and use the Exec binding. If I could, I’d disable the executeCommandLine Action too. Since I can’t, I rely on the Docker container to limit the damage that can be done should my openHAB get compromised.
1 Like
I got this working, ill post my solution today
Yes I agree with you, of course sudo can be a problem, but other mistakes have to be made that it becomes dangerous. Smarthome and other critical applications should run in an isolated network.
Even without sudo, a compromised openhab is not a good scenario!
If we now create ssh-keys for the user Openhab to the firewall, then it would work (without the sudo problem on the OH system) But the whole thing would be a security problem, because if Openhab is attacked, one would be able to log in to the firewall. On the firewall we have sudo right again …
I think we should start with the safety in other places!
Securing a system is a wholistic activity. You don’t start here and ignore over there. And building a fort around your network and solely relying on that for your security is never sufficient.
I think this is my main point. It’s not just the sudoers that I have a problem with. The entire scenario is shady as hell and i’d have my credentials revoked if I ever suggested anything remotely like this scenario professionally.
So what would be an alternative if you just had to control a firewall from OH? What if you installed a daemon on the firewall that you can attentive with and only allows this one command? Then you are not exposing your OH machine itself through the executecommandline and sudo not are you necessarily exposing the firewall in the same way, particularly if the shutdown command is modified to allow what ever non privileged user the daemon ribs as to issue the shutdown command.
But that’s more work.
I have revoke the Posting … all happy now?
Now its your turn! 
But here is the big difference. I’m not advocating giving some service which has some exposure to the outside world (through myopenhab.org) running inside a LAN permission to log into the firewall, the thing that protects your LAN from attack, and change the firewall’s settings in those posts. That’s the shady part. That’s locking your door but leaving the key under the welcome mat.
Giving openHAB sudo permission with no password, on specified commands, while not particularly safe, is no where near as risky as that. So I have no qualms about giving advice on how to set up the openhab user to use sudo.
Rich I did not do anything else! I have nothing connected with the outside world! I have suggested the same as you in connection with the Exec Binding!
I do not suggest to connect a service with the outside world. Here are the lines I suggested:
Here my results … it works 
ToDo:
sudo ssh-keygen -t rsa
sudo ssh-copy-id -i /root/.ssh/id_rsa.pub kris@192.168.1.254
sudo nano -f /etc/sudoers.d/010_pi-nopasswd
openhab ALL=(ALL) NOPASSWD: ALL
sudo /etc/init.d/sudo restart
sudo nano /etc/openhab2/rules/shutdown.rules
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
shutdownfirewall.postUpdate(OFF)
Thread::sleep(100)
executeCommandLine("sudo bash /etc/openhab2/scripts/shutdown.sh")
end
sudo nano /etc/openhab2/scripts/firewall_shutdown.sh
#!/bin/bash
ssh kris@192.168.1.254 'sudo shutdown -h now'
sudo chown openhab:openhab /etc/openhab2/scripts/firewall_shutdown.sh
sudo chmod u+x /etc/openhab2/scripts/firewall_shutdown.sh
1 Like
???
You contradict yourself there?
First you say sudo is a bad idea and later you say that you have no problem with sudo for openhab …