After migration from openHAB 3.2 on Windows, i moved to openHAB 3.3 release on Ubuntu with openhabian. For security I avoided the use of the default user openhab.
Everything runs fine, except a few rules, which need the action executeCommandline. This action does nothing without the user openhab. I tried to find how to add the user openhab, but that must be done with the console. It looks like the console can only be accessed if I log in to the user openhab. Anybody having a better solution than a fresh installation with the default user openhab ?
Gert Könemann
You might find that a hard path to go down since the docs for openHABian state
We provide code that is reported “as-is” to run on Ubuntu but we do not support Ubuntu so please don’t open issues for this (PRs then again are welcome). Several optional components such as WireGuard or Homegear are known to expose problems on Ubuntu.
It’s not that it won’t work but Ubuntu is just different enough that we are unlikely to be able to help.
The user openhab or the user openhabian? User openhab is the user under which the openHAB process runs. This is a limited rights system user that doesn’t have a shell and cannot be logged into directly anyway. Removing that user really doesn’t do anything for your security at all. The only way an attacker can abuse that user is if they’re already on your system in the first place. At best it moves any security problems from one system level limited rights user to a different one. At worst it worsens your security posture because the new user OH is running under is either a regular user with a password and a shell, or you’re running OH as root which is about the worst you can do from a security perspetive.
If you’re actually talking about user openhabian, then that really shouldn’t cause any problems with openHAB itself. So I’ll assume the former since the latter wouldn’t be causing these problems.
Honestly, no. Your machine is in a state that is very far off from the baseline supported openHABian. It might work to run apt uninstall openhab followed by apt install openhab and this time let it create the openhab user. You are not improving your security one iota by not using that user anyway so you may as well use it when you reinstall and get a smidgen closer to a supported baseline (the fact that you are on Ubuntu means we are already pretty limited in what we can support).
If your executeCommandLine commands are using sudo, the problem may be that what ever user openHAB is actually running under isn’t in the sodoer’s file or hasn’t yet acknowledged the warning the first time you run sudo as that user.
Please read and mind the docs and don’t ask for help here on the forum on modified openHABian setups. Thank you.
Dear Rich and Markus,
I did not modify openHabian in any aspect. My “fault” was that i entered another username than openhab. If that is an error, why is asked for the username? It gave me the impression, that any username would be accepted. The installation by openhabian went without problems. I am convinced that doing the same on a RPi would give the same problem. I know almost nothing about Linux yet. I thought that Ubuntu is Debian with some extras. The compact desktop was not in use and could do the job.
I will try the suggestion from Rich and if that does not work, start with a new install. Thank you for your time.
Gert
It sounds instead like you are talking about user openhabian, not user openhab. I just ran through the install and it doesn’t ask for a username for openhab.
Perhaps if you provided more details it might become more clear. for example, what’s the ownership of the files in /var/lib/openhab ?
Maybe the root issue is that you are expecting everything to be the same for the openhab user as it is for the user that you log in as. It’s not (see my discussion above about how openhab is a limited user with no shell). You typically have to provide the full path to all commands you give it and you have to explicitly give it permission to access stuff.
Just because it runs under the user you log in as (which is openhabian by default) doesn’t mean it will run successfully under the user openhab.
Not at all. Ubuntu starts with Debian and then makes a lot of changes. It’s not just Debian with a pretty user interface. And some of those changes cause problems. Since openHABian’s primary focus is on RPi, and Raspberry OS actually is Debian, there is no reason to automatically expect that openHABian would work on Ubuntu, Mint, Armbian, or any of the other Debian derivatives. It’s more likely to work than on say, Fedora, CentOS, or SuSE but still not guaranteed.
But in this case the docs for openHABian explicitly state that if you run openHABian on Ubuntu, you are on your own and that there are known problems using openHABian on Ubuntu.
Since you are new to Linux, I strongly recommend not going against the recommendations in the docs.
- what is the command that you want to run ?
- for the command line you adapted the windows syntax to linux syntax ?
- what are the permissions of the executable ( ls -l /path/to/executable ) ?
User ( openhab ) to run the java process under is deep in the system You can change the karaf use’s ( openhab’s ) default password if you would like to make it more secure.