Autor Thema: about running fhem as root or not  (Gelesen 785 mal)

Offline claudio

  • New Member
  • *
  • Beiträge: 20
about running fhem as root or not
« am: 21 März 2018, 01:34:20 »
Hi guys

Recently, I've seen a message when starting fhem that I should not run it as root. Then, I've changed to nobody and restarted. That's nice and all seemed working until I discovered that some functions weren't working properly. Ex: ping via WOL module doesn't work anymore since it appear to need root priviledges. It's the same for the wol command ether-wake. And I can't run certain commands like "system("service wireless start")"

Is there any solution to theses problems, except running fhem as root ?

or is it safe to run fhem as root ?

Online MadMax-FHEM

  • Hero Member
  • *****
  • Beiträge: 4084
  • NIVEAu ist keine Creme...
Antw:about running fhem as root or not
« Antwort #1 am: 21 März 2018, 07:25:17 »
You could enter fhem into sudoers for the necessary commands and then add sudo in front of the command...

Short because of Smartphone...

Bye, Joachim
FHEM 5.8 PI3: HM-CFG-USB, 40x HM, ZWave-USB, 6x ZWave, EnOcean-PI, 3x EnOcean, DashButtons, CO2, ESP-Multisensor, FireTV, NanoLeaf, ...
FHEM 5.8 PI2: HM-CFG-USB, 25x HM, ZWave-USB, 4x ZWave, EnOcean-PI, 3x EnOcean, KODI, ha-bridge, ...
FHEM 5.8 PI3 (Test): HM-MOD-PCB, Alexa (alexa-fhem), Google Home

Offline sledge

  • Full Member
  • ***
  • Beiträge: 240
Antw:about running fhem as root or not
« Antwort #2 am: 21 März 2018, 22:04:12 »
Hi guys

Recently, I've seen a message when starting fhem that I should not run it as root. Then, I've changed to nobody and restarted. That's nice and all seemed working until I discovered that some functions weren't working properly. Ex: ping via WOL module doesn't work anymore since it appear to need root priviledges. It's the same for the wol command ether-wake. And I can't run certain commands like "system("service wireless start")"

Is there any solution to theses problems, except running fhem as root ?

or is it safe to run fhem as root ?




Hi Claudio,


basically the answer to your questions depends upon the system you are running FHEM on. There are for sure scenarios where fhem as root is more or less fine - depending also upon the kind of equipment / controllers / sensors you are controlling with FHEM.


OTOH it is best practise to run any service in an environment with least privileges. So you can contain potential security issues, rights elevation or lateral movement of an intruder will be reduced / mitigated. Also malfunctions in FHEM - executed as root able to severely harm your system - will not be possible.


I guess most of the unix based users have a user named "fhem" which is the user FHEM is using. To gain access to certain hardware usually this user has to be added to certain system grouops like "dialout" etc. - also "sudo" might be necessary. It all depends upon your requireemtns / needs for security.


If you just use FHEM on a standalone raspberry to switch on/off your reading light and collect some temperature data - YMMV.


But that again is no FHEM centric question, rather a Unix related best practise question.


Feel free to ask any questions.


Best Regards,


Tom
FHEM: Intel-NUC / 2 Cube-CUN + 20 FK + 4 ECO-Taster / HMLAN + HM-PB-2-WM55-2 + 4 HM-MOD-Re-8 / JeeLink + 17 TX29DTH / Jeelink + 7 PCA301 / HMUARTWLAN / Opentherm-Gateway / LGW+CUL868

Offline claudio

  • New Member
  • *
  • Beiträge: 20
Antw:about running fhem as root or not
« Antwort #3 am: 22 März 2018, 01:04:14 »
thanks for yours answers.

I think it will be possible to add sudo before specifics commands (like running system scripts or programs) but I haven't found a solution yet for the fhem module WOL which run internally the ping program. I can't directly pass sudo there. Have you some ideas about this particular module ?

As a side note, I currently run fhem on my router so I much prefer not running it as root if possible. I think however that it will be best in the long run to dedicate some hardware for the fhem server. I'm currently looking for some nice, low powe, little SBC, perhaps a up board like this http://www.up-board.org/up/. I already have a pi 2 with tvheadend, but I'don't fully trust it.

Offline rudolfkoenig

  • Administrator
  • Hero Member
  • *****
  • Beiträge: 19347
Antw:about running fhem as root or not
« Antwort #4 am: 22 März 2018, 10:39:15 »
The ping program is normally installed setuid root on a "real" unix-like system, so everybody can use it.
> ls -l /bin/ping
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
I assume, that on your system this is not the case. My guess: your router is an embedded device using busybox, which also implements ping. Adding s-bit to busybox would be unwise, a workaround could be to remove the symlink ping -> busybox; cp busybox ping; chmod g+s ping. Please only execute these instructions if you know what they will do, as if my assumption is wrong they will cause you headaches.