Sodoers NOPASSWD don't work in my openHABian

After a year of learning I’m setting up my new openHAB / Homematic environment with openHABian (btw: BIG KUDOS to the team, you need to setup openHAB manually first to appreciate openHABian).

I’ve learned last year, that it isn’t a good idea to power up Homematic and openHAB same time uncoordinated, because Homematic is getting problems, when openHAB tries to establish the gateway while Homematic startup hasn’t finished yet. Therefore I have a script, that stops openHAB via ssh, starts Homematic, wait a few minutes and starts openHAB via ssh again. This procedure requires a change in /etc/sudoers, like …

User_Alias  REMOTE_CONTROL = openhabian
Cmnd_Alias SYSTEM_CTL = /bin/systemctl
REMOTE_CONTROL  ALL = NOPASSWD: SYSTEM_CTL

After that I can remotely stop and start openHAB:

harald@remotesystem:~$ ssh openhabian@<myopenhab_ip> "sudo systemctl stop openhab2.service"
... wait
harald@remotesystem:~$ ssh openhabian@<myopenhab_ip> "sudo systemctl start openhab2.service"

That worked well for a year… Unfortunately in my freshly setup openHABian the NOPASSWD directive is ignored in openHABian so I have to implement a dirty work around, which involves having my supersecret password plaintext in a script:

harald@remotesystem:~$ ssh openhabian@<myopenhab_ip> "echo <myPassword> | sudo -S systemctl stop openhab2.service"

My question: Has openHABian anywhere blocked (by intention) the usage of NOPASSWD in sudoers?

How did you change that? the official sudo way is to use the edit command visudo to avoid any issues and be successfully reloaded. You need to log out and in again for the changes to take effect, IIRC.

https://www.sudo.ws/man/1.8.13/visudo.man.html

Of course I’ve used visudo and I’ve logged out as well. More than that, I’ve copy-pasted the lines from my running configuration where this procedure worked well.

No. OS base has changed since last year (to Raspbian Buster), possibly they changed something there, but there was no intentional change in openHABian (no unintentional one, either) on sudo functionality.
Btw you don’t have to use aliases, and you don’t have to restrict commands available to your use (not much point in that anyway on a single user machine …) so you can use simple lines like

[10:42:07] root@openhabianpi:/etc/sudoers.d# cat 010_pi-nopasswd
pi ALL=(ALL) NOPASSWD: ALL
openhabian ALL=(ALL) NOPASSWD: ALL

I’d suggest to use systemd to create a dependency of Homematic to start on openHAB being up and running. Cannot explain systemd in a nutshell here though, so take your time to google/read up on that yourself.

I completely agree with this for user openhabian.

But this does not apply to user openhab.And sudo rights given to openhab should be limited to just the commands needed. Otherwise anyone with access to your OH REST API can execute any command as root on that machine.

Tried that, but doesn’t work either.

Good idea! I will considerate that for Version 3 of my home automation. But at first hand a system should work as supposed to and I’m still curious why openHABian’s Buster doesn’t behave like my Mosquitto broker’s Buster.

Arrgh! My fault. I’ve issued:

harald@remotesystem:~$ ssh openhabian@<myopenhab_ip> "sudo systemctl stop openhab2.service"

which is wrong! You have to leave off “sudo” …

harald@remotesystem:~$ ssh openhabian@<myopenhab_ip> "systemctl stop openhab2.service"

works fine.

Sorry for bothered you guys.