Senior Member
Enable telnet password
As you know, utelnted hack is not good because the telnet daemon is not password protected. I just found an info: http://www.nslu2-linux.org/wiki/HowT...TheCommandLine
witch gave me an ide that on wl700gE by default there is no /etc/passwd file and because of that the telnet is not password protected. What I am trying to say is that in order to enable password we should enable it in busybox and cretate /etc/passwd to the place where is stored the actual password.
is anyone interested to try this idea?
Member
I'm game. The only problem is you can't write anything to /etc/, or anywhere outside the /shares/ directory. So it would either have to be put somewhere else, and somehow linked to, which I believe there is a passwd file somewhere on the HD, or it would have to be compiled in with the rest of the firmware.
Senior Member
you have to study the source and maybe also makefile scripts. it should be possible to add symlink yourself when you create modified firmware. on v1.0.42 there where services_ex.c file whitch retrieved dhcp and dns options from nvram and cretaed config files. I dont know if it helps to look at it so that at the same time you can create symlink, or symlink can be created at the time when firmware is compiled. mkcramfs is the place where to look at.Originally Posted by fireflash
I hope this helps.
Member
I'll do some checking around when I get home later and see what I can make of the sources & Makefiles. I'm not very knowledgable when it comes to this stuff, but so far I've had pretty decent luck making things work. I may also enable Login through Busybox and see what that does for me. I know it won't give me a password option, but it might enlighten me a bit more as to how it's working.
There is a passwd file stored in /tmp, which I believe is writeable.
Senior Member
hmm. isnt there a symlink from /etc/passwd to /tmp/passwd?
Member
Yes there is. The system will probably use it when the need arises. The trick is getting it to use it. Another user of this forum stated a while back that while you can enable login and passwd through busybox, the passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware (probably stored in flash or something). Although the newest version of the firmware may fix this.
I'll know more when I get home tonight.
Senior Member
what does it mean "passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware". i guess the /temp dir is on the ram par and changes made in passwd file is erased on router reboot. or am I mistaken? doesnt /etc/passwd have write access?Yes there is. The system will probably use it when the need arises. The trick is getting it to use it. Another user of this forum stated a while back that while you can enable login and passwd through busybox, the passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware (probably stored in flash or something). Although the newest version of the firmware may fix this.
I'll know more when I get home tonight.
Senior Member
from here http://wl500g.info/showpost.php?p=33207&postcount=4 I see that there is no /etc/passwd symlink: (Must be done directly on the router with telnet and vi for example)
is there /etc directory ? on what filesystem is it? what are the access rights for /etc/passwd ?
Senior Member
OpenMSS
as openmss is similar to wl700ge (also linux with hdd, but not a router), it has similar problems. http://www.openmss.org/forum/viewtopic.php?t=218
you can search that forum with keyword passwd
Senior Member
another aproach - patch the busybox passwd applet:
http://mailman.uclinux.org/pipermail...er/029894.html
http://mailman.uclinux.org/pipermail...er/030266.html
http://mm.aueb.gr/~vpk/p2pwnc/downlo...bear-HOWTO.txt
Last edited by MoD; 25-10-2006 at 20:35.
Member
Ok. Certain accessable parts of the root filesystem, as far as I can tell, are either not stored on the hard drive, or are stored on the hard drive, but use a different file system called cramfs. Everything that shows up as being a cramfs filesystem can not be written to. You can read all the files, but can't write anything to those areas. That includes /, /etc, /bin, /sbin and I'm sure a few others. Here's a screen dump of mount:
Any directory that is not defined in this list, other than anything that appears on the hard disk, is mounted under / using the cramfs filesystem. It may say it's read/write, but theres no writing. When you run df, you get this:/dev/ide/host2/bus0/target0/lun0/part2 on / type cramfs (rw)
/dev on /dev type devfs (rw)
proc on /proc type proc (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
ramfs on /tmp type ramfs (rw)
ramfs on /shares type ramfs (rw)
ramfs on /foreign_shares type ramfs (rw)
/dev/se/2 on /shares/MYVOLUME1 type reiserfs (rw)
Whatever the / and all it's subdirectories are being stored on, it's got only enough room for what was compiled to be there.. No more, no less. It's almost like having a CD or DVD in the drive. It is what it is, and it can't be modified.# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ide/host2/bus0/target0/lun0/part2 44620 44620 0 100% /
/dev/se/2 160200416 19757784 140442632 12% /shares/MYVOLUME1
You're not accessing the hard drive until you've entered /shares/MYVOLUME1. Everything after that is on the hard disk and safe from boot-time purges.. With the exception of the Personal Photo Gallery website, stored under /shares/MYVOLUME1/MYSHARE1/web, which seems to get re-written at every boot. Which is annoying since thats where I turn on untelnetd
Based on what was said about the 1.0.4.2 firmware, the password utility had a problem writing a new passwd file. Things have changed a bit in the 1.0.4.6 firmware, because the location of a writeable passwd file that DaNawg mentioned no longer exists, and is now located in /tmp. Now /tmp and a couple other mount points show up as ramfs, which leads me to believe that there might be a small ramdisk set up, which is bad because everytime the router gets turned off or rebooted, everything in that directory is lost, and re-wrote upon boot up with a pre-packaged set of files. If this is the case, then the passwd file needs to get moved to the hard drive where it won't be erased everytime the router is rebooted. Moving the file is easy, changing the symlink is not, since that resides in /etc, which as I stated before, is mounted with the cramfs filesystem, which is probably heavily compressed and/or encrypted, and cannot be modified through the shell.
Modifying busybox to look in a different location for the passwd file looks promising. If it can be tweaked to look in another place besides /etc, then the need to redo the symlink in /etc goes away, for now. Any location after /shares/MYVOLUME1 is safe, as you'll be writing to the hard drive. There's even an etc directory under MYVOLUME1, which is not symlinked back to the root /etc. Unlike the MYVOLUME1/bin directory which unfortunately is just a symlink to /bin on the root filesystem.
Hopefully this help clears things up a bit, and I didn't confuse you too much.
Senior Member
How to deal with utelnetd, try this: http://wl500g.info/showpost.php?p=33213&postcount=5
it is good news that passwd is stored in /tmp. You can write a script witch saves password in nvram or hdd and upon boot write it to /tmp file. The same method is user in wrt54g linksys routers. they do not have a hdd storage.
dhcp, dns config files are created at boot time and stored int /tmp directory (take a look at services_ex.c file from firmware 1.0.42).
as for "Modifying busybox to look in a different location for the passwd file looks promising" I'm not sure if you dont need to modify other shell files also to point to use the new passwd file for authentification. passwd applet does olny the password change job. not authentification. But I'm not an expert.
I think more promising is to make /etc/passwd symling to a safe place stored passwd
Last edited by MoD; 26-10-2006 at 08:11.
Member
I'm still trying to find the set of instructions that creates the passwd file symlink in /etc. I'm working with the 1.0.4.6 source code, which doesn't have services_ex.c, as far as I know. My current line of thinking is to stick with the 1.0.4.6 code, since it's the latest, and try and make sense of it, instead of reverting back to 1.0.4.2.
Also, the file they refered to in one of those links you provided doesn't seem to be in our version of busybox. They may be using a newer version of busybox, which I'd like to get working at some point, but right now trying to compile it along with the rest of the router's source brought up a whole bunch of dialog and errors that I need to dive further into. For safety sake I'm still using the version provided to us by broadcom/asus.
Senior Member
maybe this can help you:
http://linuxant.hit.bg/Embedded-Linux-Howto.html
http://interactive.linuxjournal.com/node/4551
http://www.linuxjournal.com/article/4678
http://www.linuxjournal.com/article/7848
http://www.linuxjournal.com/article/4335
http://www.linuxjournal.com/article/4527
http://www-128.ibm.com/developerwork...ry/l-embl.html
http://dpnm.postech.ac.kr/emLinux/
http://www.uclinux.org
Last edited by MoD; 27-10-2006 at 23:13.
Senior Member
there is an intresting files in apps/mipsel/apps/bin directory
for exaple look at shell script rcex
Posting Permissions
Reply With Quote