Installing SlimServer on a LinkStation

[Page 1] Page 2 [Page 3] [Page 4]

Root Access.

Now that you have done the basic set-up, you are ready to move on to the fun stuff! To accomplish the task of installing and running SlimServer, you need to be able to log into the LinkStation as "root."

Root is a special account on a Linux system. Logging in as root gives you complete control over the system. Think of it as Administrator access in Windows. Certain programs and data files are accessible only when logged in as root. Important: If, after you are done installing SlimServer, you telnet into your LinkStation to poke around, I recommend you do not do so as root. It is a good idea to log in as root only when absolutely necessary because a Linux system will do whatever root commands, even if it means destroying the system. To quote a signature I saw on usenet: "He who play in root eventually kill tree."

Since the LinkStation runs the GNU/Linux OS, the root account already exists. The problem is that the password is not generally known. The password is stored in encrypted form in a file called /etc/passwd, but you cannot just change the password in this file, because, of course, this file is editable only by root (a bit of a Catch-22). So, we are going to take advantage of a security hole in the LinkStation web server (the program that provides the web pages you used to configure your LinkStation) to make the /etc/passwd file editable by anyone, including the user you created in the basic setup (I will refer to this account as your "regular user"). Here is what you need to do: Telnet into your LinkStation and log in as the regular user.

Telnet is a means of logging into a machine remotely, i.e., from another machine. On Windows, this means going to the start menu, selecting the "Run..." command, and typing "cmd" (without the quotation marks; this applies to all the commands you are going to run). Then type "telnet" and the IP address of your LinkStation, as below:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\marc>telnet 192.168.13.133
Trying 192.168.13.133...
Connected to 192.168.13.133.
Escape character is '^]'.

BUFFALO INC. Link Station series HD-HLAN (HIDETADA)

LINKSTATION login: marc
Password:
Linux (none) 2.4.17_mvl21-sandpoint #990 2004ǯ 5 21 13:39:00 JST ppc unknown
marc@LINKSTATION:~$

Once you are logged in, you are going to create a file (actually a script; a small program) that will change the permissions of /etc/passwd (a file's permissions determine who is authorized to do various things to the file, such as view or edit). Once you create the script, you will have to run it so that it can actually do the work of changing the permissions of /etc/passwd. You will do this through the LinkStation's web interface (see below for an explanation of why you must do it this way). First, create a new directory for the file: type "mkdir /www/cgi-bin3". (Note that Linux is case-sensitive, i.e., "THIS" is not the same as "this." You will need to follow the capitalization of the various commands exactly as provided in this article.) Then, change to the new directory: "cd /www/cgi-bin3". Next, you need to create a file (you can call it hackme.cgi) with the following contents:

#!/bin/sh 
chmod 666 /etc/passwd

Windows users have two options for creating this file. The first option is to create the file on your Windows machine and get it into place on your LinkStation. The second option is to create the file using the vi text editor on your LinkStation. Although the first option is easier initially (if you're unfamiliar with vi), you will have an easier time later if you acquire some basic knowledge of vi (e.g., if you need to make a quick edit to a file on your LinkStation). Also, this is not the only file you will need to create or edit to complete this project. I recommend investing a few minutes learning vi, but it's up to you.

Using Windows. If you choose to create the file on your Windows machine, you will have to convert the line endings to unix format. If you use a good text editor (such as EditPad) to create your file, your editor will also be able to convert the line endings for you. Once you finish creating the file, copy it to your network share. Next, you need to copy the file into place in /www/cgi-bin3, so telnet into your LinkStation and type: "cp /mnt/name-of-network-share/hackme.cgi /www/cgi-bin3". Your file is now in place. You can skip the next two paragraphs and proceed to the paragraph on making the script executable.

Using vi. vi is not like a typical Windows editor. It can be very frustrating to work with if you do not know what you are doing, so I will start with some background before beginning with the instructions. First, you need to understand that vi has two modes: command mode and text entry mode. In text entry mode, you can edit the contents of the file pretty much just as you would expect. In command mode, you do things like move the cursor, save your file, and quit the program (you also can do certain "special" editing functions such as deleting entire lines, so be careful!). When in command mode, keys will not do what you would normally expect because keys generate completely different actions in this mode than they do in text entry mode (e.g., in command mode, "dd" will delete one line; in text entry mode, "dd" will insert "dd" at the cursor). With that bit of background, let's get going: Open the "vi" text editor to create the file: "vi hackme.cgi" (to open vi and create a new file or edit an existing one, you can always type "vi " plus the name of the file, including the path to the file if you are not in the file's home directory). vi starts in command mode. You can enter edit mode by typing "i" (insert). Now you can enter the contents of the file (the two lines above) You can even copy the text from your web browser and paste it into vi (the Windows terminal program has a "paste" menu item). When done, type the escape key to get back to command mode. Then type ":wq". The ":" tells vi you're entering a special type of command, "w" tells it to write the file (i.e., save), and "q" says to quit. If you want to start over and do not want to save your file, hit the escape key and use ":q!" If you get stuck in vi, check out one of the many vi command references on the web (a simple one: http://nhoyt.com/reference/vi.html).

Potential roadblock: If you are connecting from a Linux xterm, vi may not start, complaining of an unknown terminal type ("vi: xterm: unknown terminal type"). If this happens, you need to add a terminal entry for xterm. A quick fix is to copy the vt100 entry: "cp /usr/share/terminfo/v/vt100 /usr/share/terminfo/x/xterm". You probably cannot do this unless you are root, though, so you will have to get root access first, and copy the terminal entry later. This means you will have to create the hackme.cgi script on another machine, copy it to the LinkStation via smb or NFS, telnet into the LinkStation, and finally copy it to /www/cgi-bin3.

Once you have hackme.cgi in place, you will need to make it executable, i.e., so the LinkStation will know that it's a script (program) and not just a data text file (this is similar to adding the .bat extension to a DOS batch file so the OS knows it can be executed as a program): "chmod +x /www/cgi-bin3/hackme.cgi". You can then make sure it worked by doing "ls -lF /www/cgi-bin3/hackme.cgi" (the "ls" command lists files (like "dir" in DOS); the l and F switches cause ls to provide additional details beyond just the file names). You should see a * to the right of the file name (as below), indicating the file is executable.

marc@LINKSTATION:/www/cgi-bin3$ chmod +x /www/cgi-bin3/hackme.cgi
marc@LINKSTATION:/www/cgi-bin3$ ls -lF /www/cgi-bin3/hackme.cgi
total 1
-rwxrwxrwx    1 marc     hdusers        34 Dec  4 02:46 hackme.cgi*
marc@LINKSTATION:/www/cgi-bin3$

Now you are ready to execute the script. Switch to your web browser and go to the following URL: http://IP-address-of-your-LinkStation/cgi-bin3/hackme.cgi. Your browser may ask you whether to open or save the file. Just click cancel, because the script has already executed at this point. To check that it worked, go back to the terminal and type "ls -lF /etc/passwd", and you should see -rw-rw-rw- in the permissions column as below:

marc@LINKSTATION:~$ ls -lF /etc/passwd
-rw-rw-rw-    1 root     root          388 Jan 22 22:25 /etc/passwd

An aside: Why can't you just execute your script from the command line (i.e., why must you go through the web browser)? If you did just execute the script from the command line, the script would fail because your regular user does not have the necessary rights to change the permission attributes of /etc/passwd. However, the web server operates as if run by root (with root's privileges) and therefore does have the necessary rights. Running the web server as root is, of course, a security hole that would not exist on a well-secured machine, so it is a good idea to keep your LinkStation behind your firewall.

Now that you can edit /etc/passwd, you can change root's password to one you know! You can't just type-in a new password because /etc/passwd stores files in encrypted form. However, you do know your regular user's password, and it's already listed in encrypted form in /etc/passwd. So if you copy the password string for your regular user to root's entry in /etc/passwd, root will have the same password as your regular user. In that case, you will have root access! Enter "vi /etc/passwd" to edit the file (you might want to create a backup of the file first, just in case: First, create a directory on /mnt for your backup, "mkdir /mnt/old-stuff". Then "cp /etc/passwd /mnt/old-stuff/passwd-backup"...and if you need to revert to the backup, "cp /mnt/old-stuff/passwd-backup /etc/passwd".). The /etc/passwd file will look something like this:

root:kiopuyfdmnbvu:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
adm:*:4:4:adm:/var/adm:
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
operator:*:12:0:operator:/root:
ftp:*:15:14:ftp:/var/ftp:
nobody:*:99:99:nobody:/home:/bin/sh
marc:piuyljhblouhliu:100:1000::/home:/bin/bash

The encrypted password is the text between the first two colons ("kiopuyfdmnbvu" for root in the above example). You need to delete root's password text (in vi, you can go to the first character of the password text and type "dw" (delete word); you may have to do "dw" more than once if there are non-alphabetic characters in the encrypted password). Then type "i" to enter text entry mode, and enter your regular user's password between the colons (you can even use copy/paste from the edit menu of the Windows terminal or your Linux xterm). In the example above, you would want root's line to read as follows (and you would want to leave the rest of the file untouched):

root:piuyljhblouhliu:0:0:root:/root:/bin/bash

Once you are done, see if everything works. Open another terminal window, leaving the current session running (in Windows, go back to the Start menu, select "Run...", and type "cmd" again). Now telnet in again, but this time enter "root" as your user name. Your regular user's password should get you in. (If it does not, you can go back to the original telnet session and make sure you edited /etc/passwd correctly.) If it did work, you probably should get rid of the hackme script and change your /etc/passwd file's permissions back: First, "rm /www/cgi-bin3/hackme.cgi"; then "chmod 644 /etc/passwd".

[Page 1] Page 2 [Page 3] [Page 4]

Copyright © 2005-2006 Marc D. Field. Third party brands and marks are the property of their respective owners.