about running fhem as root or not

claudio · 21 März 2018, 01:34:20

Hi guys

Recently, I've seen a message when starting fhem that I should not run it as root. Then, I've changed to nobody and restarted. That's nice and all seemed working until I discovered that some functions weren't working properly. Ex: ping via WOL module doesn't work anymore since it appear to need root priviledges. It's the same for the wol command ether-wake. And I can't run certain commands like "system("service wireless start")"

Is there any solution to theses problems, except running fhem as root ?

or is it safe to run fhem as root ?

MadMax-FHEM · 21 März 2018, 07:25:17

You could enter fhem into sudoers for the necessary commands and then add sudo in front of the command...

Short because of Smartphone...

Bye, Joachim

sledge · 21 März 2018, 22:04:12

Zitat von: claudio am 21 März 2018, 01:34:20
Hi guys

Recently, I've seen a message when starting fhem that I should not run it as root. Then, I've changed to nobody and restarted. That's nice and all seemed working until I discovered that some functions weren't working properly. Ex: ping via WOL module doesn't work anymore since it appear to need root priviledges. It's the same for the wol command ether-wake. And I can't run certain commands like "system("service wireless start")"

Is there any solution to theses problems, except running fhem as root ?

or is it safe to run fhem as root ?

Hi Claudio,

basically the answer to your questions depends upon the system you are running FHEM on. There are for sure scenarios where fhem as root is more or less fine - depending also upon the kind of equipment / controllers / sensors you are controlling with FHEM.

OTOH it is best practise to run any service in an environment with least privileges. So you can contain potential security issues, rights elevation or lateral movement of an intruder will be reduced / mitigated. Also malfunctions in FHEM - executed as root able to severely harm your system - will not be possible.

I guess most of the unix based users have a user named "fhem" which is the user FHEM is using. To gain access to certain hardware usually this user has to be added to certain system grouops like "dialout" etc. - also "sudo" might be necessary. It all depends upon your requireemtns / needs for security.

If you just use FHEM on a standalone raspberry to switch on/off your reading light and collect some temperature data - YMMV.

But that again is no FHEM centric question, rather a Unix related best practise question.

Feel free to ask any questions.

Best Regards,

Tom

claudio · 22 März 2018, 01:04:14

thanks for yours answers.

I think it will be possible to add sudo before specifics commands (like running system scripts or programs) but I haven't found a solution yet for the fhem module WOL which run internally the ping program. I can't directly pass sudo there. Have you some ideas about this particular module ?

As a side note, I currently run fhem on my router so I much prefer not running it as root if possible. I think however that it will be best in the long run to dedicate some hardware for the fhem server. I'm currently looking for some nice, low powe, little SBC, perhaps a up board like this http://www.up-board.org/up/. I already have a pi 2 with tvheadend, but I'don't fully trust it.

rudolfkoenig · 22 März 2018, 10:39:15

The ping program is normally installed setuid root on a "real" unix-like system, so everybody can use it.

Code Auswählen

> ls -l /bin/ping
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping

I assume, that on your system this is not the case. My guess: your router is an embedded device using busybox, which also implements ping. Adding s-bit to busybox would be unwise, a workaround could be to remove the symlink ping -> busybox; cp busybox ping; chmod g+s ping. Please only execute these instructions if you know what they will do, as if my assumption is wrong they will cause you headaches.

Todd Merriman · 30 Dezember 2018, 05:17:17

Zitat von: claudio am 21 März 2018, 01:34:20
Hi guys

Recently, I've seen a message when starting fhem that I should not run it as root. Then, I've changed to nobody and restarted. That's nice and all seemed working until I discovered that some functions weren't working properly. Ex: ping via WOL module doesn't work anymore since it appear to need root priviledges. It's the same for the wol command ether-wake. And I can't run certain commands like "system("service wireless start")"

Is there any solution to theses problems, except running fhem as root ?

or is it safe to run fhem as root ?

I just installed FHEM on CentOS 7. To avoid running as root, I first changed ownership of the directory tree containing
FHEM to the user that would be running the server. I am using a Z-stick USB dongle that shows up as /dev/ttyACM0.
The permissions on that device were crw-rw---, owned by root/dialout. I changed the permissions on that device to be
crw-rw-rw. I also changed permissions on all /dev/ttyS? from crw-rw--- to crw-rw-rw so that FHEM could read them as an
unprivileged user.

Beta-User · 30 Dezember 2018, 08:32:50

@Todd Merriman:
User fhem will be added dot the dialout group when using a standard debian installation method. This is sufficient and imo the most secure way to allow FHEM to use any USB dongle or other serial connection.