Running Shell Commands

Okay folks, I am out of ideas here and need any help anyone is willing to give.

Have been trying to run some shell commands to back up the SD card and configuration directory. I can run the commands in a terminal all day long without issue, but they just wont run from HA.

I originally tried running the raw commands:

shell_command:
  backup_config: rsync -azh -e ssh --delete /home/hass/.homeassistant/ [email protected]:/mnt/usb_1/FileSync/AllFiles/HomeAssistant/
  backup_image: ssh [email protected] dd if=/dev/mmcblk0 of=/mnt/usb_1/FileSync/AllFiles/HARPi3_SD_Backup_$(date +%Y%m%d).img bs=1M

script:
  backup_config:
    alias: Back Up Configuration
    sequence:
      - service: shell_command.backup_config
  backup_image:
    alias: Image SD Card
    sequence:
      - service: shell_command.backup_image

That having failed with and without single quotes I tried:

shell_command:
  backup_config: '/usr/bin/harpi3rsync.sh'
  backup_image: '/usr/bin/harpi3ddimg.sh'

Putting the commands in a shell file but that too does not work. I tried putting the .sh files in the configuration directory, that did not work. I have made sure they are executable. I have changed the owner of the files to hass:hass.

I simply just do not know what to do next short of giving hass root privileges. It’s just plain frustrating because I know it can be done yet for some reason I have been unable to and none of the examples around have given much help. By all accounts that I can find, my configuration is set up exactly as it needs to be, I just don’t know what else to look at or try.

try bash /usr/bin/harpi3rsync.sh, assuming the privileges are right.

give me a moment and I will try that out. Thanks.

Nope that made no difference, unfortunately.

Have you gotten any shell command to work yet?

The first thing I would do to test it is something that shouldn’t ever fail no matter the user:

shell_command:
    - test: touch /tmp/hass-shell-command-test

Then activate it via the webui and see if the file appears. If that works you can start debugging your commands.

After that, you can address the scripts:
You will NEED root privileges to do a dd of the disk of course.
and I assume you’ve tried the rsync as the hass user and that works correctly? If that is the case and your key isn’t passworded (not just unlocked via your keychain but actually passwordless) then that command should work

I am not sure how to run the command as the hass user. I looked at the Zwave page and am not sure how to integrate that into the command. But let me try they touch test first.

The funny part, at least to me, is that I have a sensor set up:

  - platform: command_line
    scan_interval: 30
    name: WAN
    command: "/usr/bin/pingtest.sh"
    payload_on: "Network Is Up"
    payload_off: "ICMP Ping Fail"

And that runs without any issue at all.

Okay, I ran the touch command from within HA and it worked fine

I just repurposed the backup command:

shell_command:
   backup_config: touch /home/hass/.homeassistant/testfile

Cool, so HA is working then, so it’ll be something in your script that is failing. If you get to more than a few distinct words in your command I would put it in an external script (to avoid possible parsing issues and make the config more readable, and you can then modify scripts without reloading the config file as well).

Put your commands in a script, and see if they work when run as the hass user and do what you expect, then you should be good to call it within your shell_command directive

Okay, I put the commands in a script tried running them as hass and failed miserably and I am unsure how to give hass permission to run the file without giving permission as root or some other elevated permissions. I have chmod +x the script file and that has not helped either. I am dumbfounded as to how others do this so easily, what the heck am I missing here?

ls -lash /usr/bin/harpi3rsync.sh
4.0K -rwx--x--x 1 root root 174 Jan  9 06:37 /usr/bin/harpi3rsync.sh

I’m not sure but isn’t this where we can use a “sticky” bit ?

Edit: Google for setuid/setgid I think that’s all that is need on the script you want to run as root, I might be wrong though

I ran across information about that and gave it a shot and that did not work either, so either I did it wrong or its not the solution. Having never tried setuid/setgid before I am more inclined to believe I did it wrong.

Well, things have gone south:

pi@HARPi3:~ $ sudo reboot
>>> /etc/sudoers: syntax error near line 1 <<<
>>> /etc/sudoers: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

I managed to mount the SD card in another Linux machine I have and was able to navigate to the /etc folder, change the permissions of the file and delete it. I then copied the sudoers file from the Linux machine to the Pi SD card and thought I would just change the permissions once I had the Pi booted back up. Well, that isn’t working:

sudo visudo -f sudoers
sudo: /etc/sudoers is owned by uid 1000, should be 0
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

It is an absolute shame that it is this difficult to do such a simple task as run a shell script. When I first read the documentation about being able to run a shell script I thought good God, they thought of absolutely everything. That part hasn’t changed, but apparently the idea of being able to run a script did not extend to making it relatively easy to accomplish.

I try my best to do my due diligence to show that I am not just wanting someone to do it for me, but the documentation keeps biting me because the examples tend to leave you hanging. I know this particular task is being done by others in HA, so I know it’s possible, but apparently I am not bright enough to figure it out. And for such a beautiful, wonderfully powerful home automation system, but the average user just isn’t going to invest this sort of time in trying to figure things out. I have been trying to figure this out a couple days before I made my post here. That’s just an unreasonable amount of time to have to invest to run a simple shell script.

Okay, I am back to normal, I think, well at least back to where I started. I had to run chmod --reference systemfile myfile and then chown – reference systemfile myfile

Basically, I mounted the Pi SD card in another Linux machine changed the permissions of the /etc/sudoers file so I could delete it. Then I copied the sudoers file from the Linux machine over to the /etc directory. Then I ran the two above-mentioned commands so that the ownership particularly and permissions matched that of another root owned file in that directory. Took the SD card and plugged it back into the Pi and rebooted.

So I took a long trip around OZ to get back to the point I was, which is a shell script file that won’t run.

I added hass to the sudoers list and the dang shell scrip stil wont run:

# User privilege specification
root    ALL=(ALL:ALL) ALL
hass    ALL=(ALL:ALL) ALL

What the heck am I doing wrong?? Does anyone have a live example of how they have implemented this??

You don’t need the first line.

For the second, if you want hass not to be prompted for a password when running sudo then you want something like:

hass ALL=(ALL) NOPASSWD: ALL

Of course, there are security issues with doing this. Far better to not run the rsync and ssh as root.

@Tinkerer I agree, there are security issues, but how does one go about running a command that would require elevated privileges, such as the dd command, without an elevated user?

@StormStrikes what you would do is create a script owned by root, in your case this rsync script, then you add a sudoers line like this:

user hass = (root) NOPASSWD: /foo/bar/rsyncscript

This way the hass user can call sudo /foo/bar/rsyncscript and NOTHING ELSE. Since the script is owned by root, the root user is the only one who can modify the script (make sure it’s permissions are 755 and you’ll be fine).

FYI, don’t edit sudoers manually (or copying from another host like you did, since sudo (and ssh) are very particular about permissions to avoid potential security issues. Use visudo which does error checking before saving, otherwise you could end up with a broken file and unable to use sudo. It’s also a good idea to have a root password so that you can login without having to do annoying recovery steps because you broke sudoers.

@justin8 Just a couple of things, because you have given some information that I have not seen yet.

First, add the line to sudoers just like you posted user hass = (root) NOPASSWD: /path/to/my/rsyncscript ?
I ask because I have not seen it formatted in the way you provided and I just want to make sure.

Lastly, I have been editing sudoers with visudo, however, I ‘think’ I somehow wiped out the contents of the file as when I finally got it open, there were only two curly braces in it. No content, no settings, nothing. Not sure how I did that, but I did see where I needed to use visudo to edit it and was doing so. But in my inexperience with such things I somehow goofed it up. Thankfully I had other machines with Linux on them.

Again, thank you for your post.

EDIT:

One last thing if I may impose upon you. I have the other script file to run as well the one that will us dd to make a backup image of the SD card.

Do I just add another line to the sudoers file for that, or do you somehow combine them in one line?