I got a Raspberry Pi 3 B+ with virtualenv and a fresh hass installation and want to use wake on lan. Since the wake on lan magic packet needs to be sent to a specified network interface i’m forced to use a command_line script with etherwake instead of the wake_on_lan component. Etherwake needs sudo rights and i found the only working solution to be add my hass user to the sudoers group in /etc/sudoers via homeassistant ALL=NOPASSWD: ALL
Isn’t that basically a giant security hole and circumventing the whole virtualenv idea? I understand that etherwake needs root privileges to directly send ethernet frames, but adding homeassistant to the sudoers feels like overkill to me? Can someone enlighten me if that is really such a big deal and/or if there is a work around? Maybe some way to limit the sudo privileges to just etherwake? Or somehow make wakeonlan use
the ethernet instead of the wifi network interface? I’m pretty new to all this, so my knowledge of how security works in linux may be skewed a bit into the windows world where i’m coming from.
Only allow for the script(s)/command(s) you are specifically happy for the homeassistant user to run under sudo with no passwd, eg
homeassistant ALL=(ALL) NOPASSWD: /bin/systemctl restart [email protected]
I personally don’t see any issues giving the homeassistant user sudo privileges.
I can see if your install was part of a bigger network or some special security was necessary for some reason. But if you think about it your HA is on your network protected by your router and with your username and your password. Who is going to go in and do something nefarious on your machine?
I suppose if you have untrustworthy roommates it might be an issue but then there are bigger issues than whether they can get in and fool around with the HA host software.
And if you are worried about it getting screwed up inadvertently, you are more likely to do that via SSH as the admin user on the Pi than via thru HA anyway. And that’s what regular backups of the SD card are for. 
Thanks, i didn’t realize that was an option. I went with:
homeassistant ALL=(ALL) NOPASSWD: /usr/sbin/etherwake
I feel slightly more secure now 
It’s best practice for a reason, but it’s a personal thing.
A ridiculously simplified example - Let’s say in a month someone finds a bug in homeassistant that if you add ?iamawalrus&.... to the end of your duckdns url it will run whatever command you put after the & sign without authenticating. Turns out Paulus just loves backdoors with The Beetles references and just thought why the hell not, nobody will know…
So, some script kiddies get your duckdns url and add a command to the end of it to download and run a script, if your user doesn’t have sudo privileges then the script can’t access a lot of your system. If you’ve given it sudo privileges and no password then the script runs in full and your computer is now live streaming your webcam to porn sites, capturing all your network traffic (including your bank transactions) and uploading it to the highest bidder etc.