PDA

Bekijk de volledige versie : question about wl700gE booting (and passwd file)



MoD
29-10-2006, 18:44
I do not understand the booting sequence of the router. I studied Oleg modified wl500g series firmware and dd-wrt project firmware sources to undrerstand how can I create password protected telnet shell. This is what I understood:

There is a modification of rc.c file (as there is no full source of firmware v.1.0.46 and the rc.c file is missing, I am working with firmware v.1.0.42). The idea is that in function main_loop() you are modifying /tmp/passwd file.

This is how the original /tmp/passwd file looks like:


root::0:0:root:/:/bin/sh
guest::35000:42000:guest:/:/bin/sh

this is how the original /tmp/group file looks like:


root::0:root
users::42000:

I added a new function to rc.c:


/* create /etc/{passwd,group} */
make_etc(void)
{
FILE *f;
char *name, *pass;

/* crypt using md5, no salt */
name = nvram_get("http_username1") ? : "admin";
pass = crypt(nvram_get("http_passwd1") ? : "admin", "$1$");

/* create homedir for root account */
if (stat ("/tmp/root", &buf) != 0) {
mkdir ("/tmp/root", 0700);
}

if ((f = fopen("/tmp/passwd", "w"))) {
fprintf(f, "%s:%s:0:0:root:/tmp/root:/bin/sh\n"
"guest::35000:42000:guest:/:/bin/sh\n", name, pass);
fclose(f);
}

if ((f = fopen("/tmp/group", "w"))) {
fprintf(f, "root:x:0:%s\nusers::42000:\n", name);
fclose(f);
}

}

The function make_etc() should create home directory for root account in /tmp directory and modify /tpm/passwd and /tmp/group files. The function is executed in main_loop() function right before /* loop forever */. However when I compile the firmware and flash it to the router, the changes in /tmp directory are not seen.

I even created the firmware whith modified make_etc() function to create only a /tmp/root directory:


/* create /etc/{passwd,group} */
make_etc(void)
{
mkdir ("/tmp/root", 0700);
}

The result was the same - there are no changes in /tmp folder.

The problem

I think by the time when make_etc() function is executed, /tmp is not yet mounted?! Could it be so?

Does anybody can explain how the default /etc/passwd and /etc/group files are created in /tmp file?

MoD
29-10-2006, 20:28
The directory /tmp is mounted in function sysinit() witch is called if function main_loop() before make_etc() is called.

I do not understand where my changes in /tmp are gone...:mad:

MoD
29-10-2006, 21:03
there is a command in function sysinit():


mkdir("/tmp/var",0777);

right after that I added:


mkdir("/tmp/root",0777);

After compiling and flashing the firmware I see /tmp/var directory but there is no /tmp/root directory

can anyone comment retry this thing to test if my enviorement is buggy?! what are your results?

DaNawq
29-10-2006, 23:19
Damn I've written so much and than got logged out ;(

Short: compile vi in busybox - telnet in - vi /shares/MYVOLUME1/__pdc - add encrypted password to root - compile login with busybox

That's for now - I'm in a hurry ;)

Can help later :P

/etc/passwd symlinks to /tmp and symlinks finnaly to /sh../MYVO.../__pdc/passwd

MoD
30-10-2006, 05:56
Damn I've written so much and than got logged out ;(

Short: compile vi in busybox - telnet in - vi /shares/MYVOLUME1/__pdc - add encrypted password to root - compile login with busybox

That's for now - I'm in a hurry ;)

Can help later :P

/etc/passwd symlinks to /tmp and symlinks finnaly to /sh../MYVO.../__pdc/passwd

I remeber that you wrote http://wl500g.info/showthread.php?t=6521 but I am trying to escape to use vi aproach and make the same way as wl500g. As my listing shows, it is not true that /tmp/passwd is symlinked as you mentioned here http://wl500g.info/showpost.php?p=33786&postcount=2:. Or am I mistaken?


# ls -l /etc
-rwxr-xr-x 1 root root 131 Jan 1 1970 buildinfo.txt
-rwxr-xr-x 1 root root 16 Oct 28 12:38 fdisk_fat32_claim_commands.txt
lrwxrwxrwx 1 root root 10 Jan 1 1970 group -> /tmp/group
-rw-r--r-- 1 root root 17 Jan 1 1970 host.conf
lrwxrwxrwx 1 root root 11 Jan 1 1970 hostid -> /tmp/hostid
lrwxrwxrwx 1 root root 10 Jan 1 1970 hosts -> /tmp/hosts
lrwxrwxrwx 1 root root 16 Jan 1 1970 hosts.allow -> /tmp/hosts.allow
lrwxrwxrwx 1 root root 15 Jan 1 1970 hosts.deny -> /tmp/hosts.deny
-r--r--r-- 1 root root 4268 Jan 1 1970 image_vars.txt
drwxr-xr-x 1 root root 28 Jan 1 1970 init_scripts
-rw-r--r-- 1 root root 2825 Jan 1 1970 ld.so.cache
-rw-r--r-- 1 root root 14 Jan 1 1970 ld.so.conf
-rw-r--r-- 1 root root 17 Jan 1 1970 nsswitch.conf
lrwxrwxrwx 1 root root 11 Jan 1 1970 passwd -> /tmp/passwd
lrwxrwxrwx 1 root root 16 Jan 1 1970 resolv.conf -> /tmp/resolv.conf
-rwxr-xr-x 1 root root 10707 Jan 1 1970 services
-rwxr-xr-x 1 root root 4408 Jan 1 1970 vsftpd.conf


# ls /tmp -l
drwx------ 1 root root 0 Oct 29 14:51 cache-mt-daapd
drwxr-xr-x 1 root root 0 Oct 29 14:50 configuration_share
drwxr-xr-x 1 root root 0 Jan 1 2000 disk_names
-rw-r--r-- 1 root root 0 Jan 1 2000 disk_updating_lock
drwxr-xr-x 1 root root 0 Jan 1 2000 disks_going
-rw-r--r-- 1 root root 6733 Oct 29 15:02 diskstatus
drwxr-xr-x 1 root root 0 Jan 1 2000 etc
-rw-r--r-- 1 root root 0 Jan 1 2000 file_variable_updating_lock
drwxr-xr-x 1 root root 0 Jan 1 2000 foreign_share_info
drwxr-xr-x 1 root root 0 Jan 1 2000 foreign_shares_going
-rw-r--r-- 1 root root 9 Oct 29 14:50 global_shares_list
--wsr-T--- 1 root root 27 Oct 29 14:50 group
-rw-rw-rw- 1 root root 42 Oct 29 15:02 hosts
-rw-r--r-- 1 root root 131072 Jan 1 2000 lowcase.dat
-rw-r--r-- 1 root root 329 Oct 29 14:51 mt-daapd.conf
-rw-r--r-- 1 root root 40 Oct 29 14:50 nas.lan.conf
-rw-rw-rw- 1 root root 60 Oct 29 14:50 passwd
drwxr-xr-x 1 root root 0 Oct 29 14:50 pool_share_cifs_exports
drwxr-xr-x 1 root root 0 Jan 1 2000 pools_going
drwxr-xr-x 1 root root 0 Jan 1 2000 raid
-rw-r--r-- 1 root root 137 Oct 29 14:50 raidtab
drwxr-xr-x 1 root root 0 Jan 1 2000 rc_action_incomplete
drwxr-xr-x 1 root root 0 Jan 1 2000 rc_notification
drwxr-xr-x 1 root root 0 Jan 1 2000 reserved_foreign_share_names
-rw-r--r-- 1 root root 0 Oct 29 14:50 resolv.conf
drwxr-xr-x 1 root root 0 Jan 1 2000 samba
drwxr-xr-x 1 root root 0 Jan 1 2000 share_name_mappings
drwxr-xr-x 1 root root 0 Jan 1 2000 shares_going
-rw------- 1 root root 205 Oct 29 14:50 smbpasswd
-rw-r--r-- 1 root root 0 Oct 29 14:52 syslog.log
-rw-r--r-- 1 root root 131072 Jan 1 2000 upcase.dat
drwxr-xr-x 1 root root 0 Jan 1 2000 usb_disks
drwxr-xr-x 1 root root 0 Jan 1 2000 var

I could try to compile the make_etc() function that modifies /shares/MYVOLUME1/__pdc/passwd however it does not explains why does my changes are not saved in /tmp directory. Why I can not make a directory root in /tmp directory?

Could it be that there is a code that copies everything from /shares/MYVOLUME1/__pdc/ to /tmp ? Does anybody knows how and when are these passwd and goup files generated when you compile and flasg a fresh firmware? I'm not so good in Linux.