because in the first place. you issue the sudo command as the user ‘openhab’ (= the user the openhab main process is running under).
read the man page and g**gle for “sudoers”
Just for example, the following config will allow the “openhab” user to execute exactly two well-defined commands as ANY user, including root:
openhabian@devpi:~ $ cat /etc/sudoers.d/011_openhab
openhab ALL=(ALL) NOPASSWD: /usr/bin/tailscale,/usr/sbin/reboot
openhabian@devpi:~ $
Markus many thanks for the helpful tips. Actually I have been reading the man page and googling; for days; and have not yet found the right solution. Yes I know all about the sudoers file, but it is really not a solution in this case. As you may recall from my post in another thread, I am writing an OH plug-in that allows OH to auto update itself from within its own UI. I have developed scripts that can do this, but those scripts require root resp. openhabian credentials to run. So we need to bust out of the ‘openhab’ user constraints. And unfortunately since such an OH plug in is supposed to make things easier for the user rather than more complex, we cannot start off by telling the user that this wonderful plug-in will solve everything for you, but first you have to read the man page and g**gle so you can start to mess around with your sudoers file. 
EDIT: perhaps one could do something like the OH plugin making an SSH connection into its own console as ‘openhabian’ and then run the script from there. Who knows?
I made a few initial tests and this seems to be feasible. i.e. from inside OH (as ‘openhab’) one can indeed establish an SSH connection to 127.0.0.1:22 (login as ‘openhabian’) and send commands and receive responses to that shell. Its rather cool…
However it does have high overhead (increasing the Jar + dependencies from 40k to 400k) so if there is a better solution it would be good to know…