I’m tinkering with appdaemon and like it a lot as I prefer python to yaml. I installed it according to the tutorial with sudo so root owns it and the directories I have created. As a result, I have to use sudo to edit the files and it makes we wonder what the “standard” way of installing is. That is, who should own the files and folders? Should I just make homeassistant the owner since we’re putting the conf directory in homeassistant’s home directory?
It makes little difference, but in general it is a security risk to run anything you don’t trust with sudo (but of course you trust appdaemon, so what’s the problem ???)
A safer way would be to run appdaemon as an unprivileged user such as hass, and ensure that all of the files and directories are also owned by hass.
FWIW, I run mine as root, but then I wrote the code and know it’s trustworthy 
I don’t have a problem running it as root. I guess what I’m really asking is can the files in the conf directory be owned by homeassistant for example. I use samba to export the .homeassistant folder so I can edit the files remotely and the ones owned by root (appdaemon files) can’t be edited. It would just be for convenience.
Running as root, AD can read and write anything so AD wouldn’t mind, however any files written by AD, e.g. compiled dashboards, would be owned by root therefore you would be unable to read/delete them from samba running as homeassistant.
You really should, because …
One slip of programming and you could be overwriting your operating sytem, deleting config files and doing any kind of disastrous thing that you didn’t think of.
You say there is a tutorial somewhere that tells you to install AD as root? That really should be changed.
I installed it with sudo as it would not install otherwise. I don’t recall the problem(s). I was logged in as pi.
What do you do?
Create a virtual environment for appdaemon and install AD in that. I use the same user as runs HA - homeassistant, but user pi would be a minor increase in security risk compared to running as root, if that is more convenient for your editing.
Can you elaborate on the steps you take to do that including how you login or su as homeassistant?
there are other disadvantages also that i encountered.
i run some subprocesses and they needed root.(sudo rsync)
but that gave some problems with processes that kept hanging.
so i thought: lets be clever and run AD as root (with sudo)
it worked, untill i noticed that vlc wasnt working anymore.
cvlc is programmed not to work as root.
when i read some more things i discovered that there are more things not running as root.
so i went back to not running as root and changed my subprocesses. (did take me a while to figure out the right commands, but now its running)
I ran through it just to make sure I didn’t miss anything.
$ sudo su -s /bin/bash -l homeassistant
homeassistant@lubuntu-1710:~$ mkdir appdaemon_venv
homeassistant@lubuntu-1710:~$ cd appdaemon_venv
homeassistant@lubuntu-1710:~/appdaemon_venv$ python3 -m venv .
homeassistant@lubuntu-1710:~/appdaemon_venv$ source bin/activate
(appdaemon_venv) homeassistant@lubuntu-1710:~/appdaemon_venv$ pip3 install wheel
Collecting wheel
Using cached wheel-0.30.0-py2.py3-none-any.whl
Installing collected packages: wheel
Successfully installed wheel-0.30.0
(appdaemon_venv) homeassistant@lubuntu-1710:~/appdaemon_venv$ pip3 install appdaemon
Collecting appdaemon
...
Now its installed, just a few checks
(appdaemon_venv) homeassistant@lubuntu-1710:~/appdaemon_venv$ which appdaemon
/home/homeassistant/appdaemon_venv/bin/appdaemon
(appdaemon_venv) homeassistant@lubuntu-1710:~/appdaemon_venv$ appdaemon -v
appdaemon 3.0.0
To run appdaemon from a systemd script use the output from which appdaemon as the executable.
To enable the VE do
homeassistant@lubuntu-1710:~$ source appdaemon_venv/bin/activate
(appdaemon_venv) homeassistant@lubuntu-1710:~$
Note the indication at the start of the prompt.
To deactivate do
(appdaemon_venv) homeassistant@lubuntu-1710:~/appdaemon_venv$ deactivate
5 Likes
Installing it via sudo does not mean you have to run it with sudo - it just means you needed root permission to install it in the global environment - it will still run as any user, the key is to ensure correct permissions on the configuration files and directories which are separate form the installed files.
However, as others have said (and provided examples for) - installation in a venv is by far the best solution.
1 Like
I followed your instructions and it worked great. Thanks for the suggestion and the help.
I elected to create the VE in /srv since that is where homeassistant is located. Here are some of the affacted files:
$less /etc/systemd/system/[email protected]
[Unit]
Description=AppDaemon
[email protected]
[Service]
Type=simple
User=homeassistant
ExecStart=/srv/appdaemon/bin/appdaemon -c /home/homeassistant/.appdaemon
[Install]
WantedBy=multi-user.target
As you can see, I elected to put the configuration files for appdaemon in /home/homeassistant/.appdaemon. I also elected to export that folder in a separate samba volume: Here is the tail end of my /etc/samba/smb.conf file:
[homeassistant]
path = /home/homeassistant/.homeassistant
writeable = yes
guest ok = yes
create mask = 0644
directory mask = 0755
force user = homeassistant
[appdaemon]
path = /home/homeassistant/.appdaemon
writeable = yes
guest ok = yes
create mask = 0644
directory mask = 0755
force user = homeassistant
2 Likes