Sunday, January 13, 2013

Synology, OpenSSH & BASH (the proper way)

Synology OpenSSH

I wrote in a past article about how to set up your Synology NAS to use OpenSSH, closing down a weird backdoor access in the process.  In that article, I warned to be careful as if you messed up you could lose access to your NAS.  Well, I should have taken my own advice as I did just that, and ended up locking myself out of my root account.

So, having to redo everything with a more experienced eye, I present a better (and safer) methodology to access your NAS via OpenSSH.  Throughout this, I strongly suggest keeping a terminal open with root user logged in so you can verify and fix things along the way.

If you get locked out of your root account, the only solution is to reinstall the system partition.  This should leave your data entirely safe, but as always it's advisable to make a backup first.

Boss User

Doing daily routines while logged in as root is considered dangerous since you can inadvertently do real and irrevocable damage with an errant "rm -r *" command or the like.  The preferred method is to do your daily business with a less privileged account and only act as root when you need it.

For this, we'll create a new user via the web interface control panel.  For our example, we'll use the name "boss".  Be sure to give all permissions to this new users, especially adding him to the "administrators" group.

Now to prep the boss account, log in as root and execute:

mkdir -p /var/services/homes/boss
chown admin:administrators /var/services/homes/boss
ln -s /var/services/homes /homes

To enable ssh access, edit the "/etc/passwd" file.  Find the line that starts with "boss" and change "/sbin/nologin" to "/bin/sh"

boss:x:1026:100::/var/services/homes/boss:/bin/sh 

Verify you can ssh into the NAS with the boss account.

SU Command

To run a command as root, you use the "su" command, which effectively lets you become root.
However, the stock install seems to have the permissions incorrect which prevents you from using the command.  The "su" command is actually just a symlink to "busybox" and we can set the suid bit (while logged in as root) with:

chmod 4755 /bin/busybox

You can test this by logging in as "boss" and trying:

su - -c whoami

If it returns "root" (after entering your password) then it is working.

Use OpenSSH & BASH

Assuming you've bootstrapped your system, install the relevant packages:

ipkg install bash
ipkg install zlib
ipkg install openssh

We can now configure our accounts to use this shell.  We'll do so in a more careful manner, though, to protect against future DSM updates which might make the BASH binary unreachable.  Edit the ~/.profile file for your user and add this at the end:

if [ -x /opt/bin/bash ] ; then
  exec bash             
fi                            
                           
This will run the normal "sh" shell during login then go to "bash" only if it exists.  You can then put your normal bash configuration in ".bashrc" as per normal.


Diable Root Access

If your NAS is visible to the internet then you'll want to disable the root ssh account entirely.  You can this by adding a line "PermitRootLogin no" to the /etc/ssh/sshd_config file.

You should also disable the "admin" and "guest" users from accessing the web-interface.  You will use the "boss" account for all your operations.  You do this from the "Users" part of the control panel.
  1. Log into the web interface as the "boss" user from above.
  2. Edit the "admin" and "guest" accounts and check the "Disable this account" box.

SUDO Convience

If you want to really get fancy, you can install the "sudo" package.  This will let you run individual commands as root (eg. sudo mkdir /homes/foo").

su -
ipkg install sudo

While still root, edit the file "/opt/etc/sudoers".  Find this line:

# %wheel ALL=(ALL) ALL

Remove the leading "#" character, and change "wheel" to "Administrators".

%Administrators ALL=(ALL) ALL

This gives all users in the "Administrators" group sudo access.
You can use this variant to skip the password prompt on use... be careful though!

%Administrators ALL=(ALL) NOPASSWD: ALL

Saturday, January 12, 2013

rsync Mystery

rsync Mystery

After a long hiatus, I ventured onto my Synology NAS and discovered there were a few DSM updates pending.  The updates themselves add some pretty fantastic functionality, like Airplay support directly from the NAS and your own personal Cloud.  However, after the updates my automated rsync backup (Cygwin -> NAS) was failing with "rsync: command not found" indicating the rsync binary could not be found on the remote server.

Investigation

I could ssh to the NAS and execute "which rsync" to see that it was in "/usr/syno/bin/rsync" which was in my PATH variable.  However, when I ran "ssh root@foo 'which rsync'" I got nothing.  So I tried "ssh root@foo 'echo $PATH'" and I got a different path from when logged in directly!

Solution

To be honest I've no idea why the paths are different.  My guess is that the ~/.profile file is not being sourced during rsync connectivity.  Anyway, the easy-out was to create a symlink from somewhere on the standard path to the actual rsync binary: "ln -s /usr/syno/bin/rsync /opt/bin/rsync" and all worked well once more.