chapados.org

When I wrote the original article on how to enable shell access to the readynas, I was motivated by the need to solve my backup problems. Given the unfulfilled promises from infrant regarding ssh availability, I was also frustrated, and wanted to share how easy it was to do it yourself. After solving solving the immediate problem, I did not try to develop a more elegant solution. Fortunately, the web is a big place, and I managed to inspire someone else to come up with a better solution that doesn't require removing any drives. This person, whom I will call "D", has asked to remain anonymous.

Protocol

Here is D's method for changing the root password:

This is a simple approach that exploits the ability to create symbolic links (symlinks) while using NFS, and the ability to traverse symlinks while using AFP (Apple File Protocol). It also exploits the fact that /etc/cron.d is writeable by the admin user, which permits arbitrary crontabs to be created. This will probably require a Macintosh, or another platform which can mount AFP shares.

1. Enable NFS and AFP services (Services -> Standard File Protocols).
2. Make a share NFS write-enabled and root privilege-enabled (Shares ->NFS)
3. Make the same share AFP write-enabled for the admin user (Shares -> AFP)
4. Mount the share using NFS
5. Create a symbolic link on the share to /etc (etc -> /etc).
6. Mount the share using AFP, as the admin user.
7. Create a new crontab file in etc/cron.d/

# example listing for /etc/cron.d/passwd

* * * * * root /usr/sbin/usermod -p '$1$RVWNkJR9$CaniKWqUxyXC3ETsWKrCE1' root

1. Reboot the device, to restart cron.

Notes

This would not work if the backend software on the readynas was configured properly. It turns out that frontview, which is written in perl, makes system calls directly and executes commands as the admin user. To make life easier on themselves, Infrant allows the admin user to modify key system files such as /etc/cron.d. In fact, the entire frontview interface is owned by admin, so you should be able to mount /frontview that same way that you mounted /etc and modify any of the files that control the web interface. Now that infrant has been acquired by netgear, maybe some of this will get cleaned up. I suspect that is why infrant was promising a 4.0 release of RAIDiator that will include ssh access, and will not be backwards compatible with the current versions of the OS (3.x). Sounds great, doesn't it? Given the amount of time that it takes Infrant to actually deliver on their promises lately, I think that if you want ssh access before 2008, you should probably use the method described above.

The Infrant ReadyNAS NV is a great backup server or media server. However, the one critical missing feature that will make any power-user break into a cold sweat is ssh shell/root access. My initial reaction was: Huh!? I’m buying this box to store my precious data and you won’t even tell me the root password or give me shell access? Dubious. I’m sure that this has driven away many potential customers. To be fair, Infrant has promised to add this feature in late 2006, but it’s almost December and it hasn’t happened yet.

As it turns out, gaining root ssh access is trivial, you just need:

1. Logs from your ReadyNAS
2. Computer with a free internal SATA port
3. Knowledge of linux

Don’t try this at home kids

This article is not a step-by-step, copy-and-paste walk-through guide. If you are not comfortable working at a root prompt and have no clue about how linux is configured, then this article will not help you. My intended audience is knowledgeable users who want shell access, but have live data on their ReadyNAS boxes and can’t afford to poke around and screw up their backups.

The system partition

The first thing I did after unpacking the ReadyNAS (no drives installed) was to plug it, connect it directly to my laptop and turn it on. My reasoning was that if the OS runs from a flash memory card, then the system should be accessible even without any disks. This is not the case. Instead, as I had hoped, the ReadyNAS creates a system partition on one of the drives. This means that the problem is essentially the same as that one time when your friend forgot the root password to her linux box and you had to help her “break in”.

Reconnaissance

If the ReadyNAS creates a system partition on a drive, where does that partition live? I’ll give you a hint: Download the logs through frontview and look at them. The file called “partition.log” is a good place to start.

If the ReadyNAS could be booted from a CD and had a monitor and a keyboard, you would just need a linux boot CD and and you’ve have access. It’s not quite that easy, but the drives are very easy to remove. You’ll just need to plug the drive with the system partition into another computer running linux. If you don’t have a linux installed on the system with a SATA controller, try one of the live CDs from Ubuntu or Gentoo. These will even nicely with a PowerMac G5.

Now that you’ve determined where the system partition lives, shutdown your ReadyNAS and remove the drive with the system partition. Plug it in to a computer with an internal SATA controller. Turn on the computer.

Break in (through the unlocked front door)

While you were looking at the log files, you probably noticed that the system partition type is ext3, which is not surprising, since the ReadyNAS runs GNU linux. Mount the partition as ext3. That’s it. You can now modify/create/delete files. However, the engineers at Infrant are clever. Enabling shell access is not as simple as modifying /etc/passwd and putting the drive back in your ReadyNAS.

Don’t steal the marked bills

.enc files

While you’re poking around in /etc, you’ll notice some files with “.enc” extensions. These are encrypted versions of the corresponding files without the extensions. The ReadyNAS updates the .enc files after you make changes to the system through frontview. The catch is that when you boot the ReadyNAS, it apparently compares each normal file with the encrypted version. If they are different, then the encrypted version is used to regenerate the normal file. This means that you won’t be able to modify files that are managed by this mechanism. Trust me, I already tried it. For those following along at home, this rules out:

• /etc/passwd
• /etc/exports
• /etc/sudoers
• /etc/inittab

I’m sure we can all dream up a few ways to get around this “security” system. I used the method outlined below.

/root

Anything you add to /root appears to get removed when you put the disk back in the ReadyNAS and reboot the system.

Set a trap

Since the usual targets get reset when you boot the ReadyNAS, one route of attack is to plant a trojan horse that will modify these files after the ReadyNAS boot up. Fortunately, /etc/crontab is not controlled by the security encryption, which makes setting the trap trivial.

Write a shell script to add a user with uid = 0 if the user doesn’t already exist. Add a line to /etc/crontab that executes this script as root every minute or so.

Spring the trap

Once you’re happy with your changes, unmount the partition, shutdown your computer, and transfer the drive back into the ReadyNAS. Turn it on and wait for it to boot up. Wait a few minutes for the cron job to execute, then login as your new root user. You’ll probably want to change the configuration settings so that you can login as a normal user and enable root access via sudo.

Cool… now what?

Well, now you can modify any file you want, install your favorite software, and configure everything exactly the way you want. Slow down. Before you get too excited, let’s think about this for a minute:

1. The Infrant processor runs @ ~250 MHz. You’re probably not going to want to run your database-backed app off of the ReadyNAS. It can barely handle ssh file transfers without maxing out the CPU.
2. The OS is a minimal version of Debian Linux. It does not have a working build environment.

Come back and look for the next article, which will cover building a sparc-linux cross-compiler with crosstool.

UPDATE

If you arrived at this page from a search engine and you’re looking for an easier way to enable ssh access that doesn’t require futzing with hardware, read this article.

The Infrant ReadyNAS NV is an extremely capable network attached storage (NAS) device that packs some serious power into a tiny box. If you’re in the market for a RAID storage device or perhaps even a home media server, give it a look. You’ll probably be impressed.

The ReadyNAS supports up to 4 drives in RAID 0,1,5 or Infrant’s proprietary X-RAID configuration. The X-RAID technology allows you to add drives as you go and the machine automagically configures the RAID to give you redundant storage.

The ReadyNAS uses a proprietary SPARC-based CPU/motherboard, optimized for RAID in a small package. The Raidiator OS is a slightly customized version of Debian GNU/Linux. So, when you buy a ReadyNAS NV, you are actually buying a tiny box optimized for life as a home RAID storage server.

Despite the impressive features, I had second thoughts, because the readynas doesn’t provide ssh shell/root access. It also doesn’t support rdiff-backup, rsnapshot, or even a version of rsync that plays nicely with Mac OS X (see this site). Shame on Infrant for thinking that power users will want to use their pre-packaged backup solution. In the end, my need for a small-footprint RAID solution for my music library and online backups won out. I bought a disk-less ReadyNAS from eAegis and one 500 GB Seagate Barracuda ES drive from newegg. I plan on adding a second drive soon, but in the meantime…

Since I was already storing data on a stack of external hard drives, there was no immediate rush to transfer all my data to the ReadyNAS immediately. Thus, I had some time to “play” with it before using it as my production backup system. The result is a series of hacks for the Infrant ReadyNAS that I’ve put together in my spare time over the past couple months.

Outline

In the next few articles, I hope to cover:

1. The first article covers gaining root ssh shell access. Go read it now.

2. Building a cross-compiler for the ReadyNAS using crosstool

   This process is straightforward using crosstool and building on x86 linux.

3. Compiling a modified version of rsync that properly stores meta-data from HFS+ filesystems.

4. Installing Python and the necessary requirements to run rdiff-backup

   The ReadyNAS runs Debian Linux, and dpkg is installed. You can download sparc packages and install them. To compile the [latest] rdiff-backup versions required for use with Mac OS X, you’ll need the cross-compiler. This all works really nicely, except that it’s really slow.

5. For those of you that were [asking], Perl is already installed, so [rsnapshot] shouldn’t be a problem, although I haven’t tried it yet.