User Tools

Site Tools


Sidebar

devices:mybookworld:public

Secure PUBLIC folder

BUG: Security settings for PUBLIC folder reset with every reboot
This fix tries to solve this PUBLIC folder security issue: all files and folders existing inside this folder are accessible (read/write) to anyone in the network without asking to login. Thus, anyone may read/create/update/save/delete any file in this folder even if he/she does not have any rights to access the WDMB machine.

SYMPTOMS

Trying to secure the WDMB machine, the sharing permissions must be updated not to allow anyone access. By default the PUBLIC folder will allow unrestricted access. After at least one user is created, it would be nice to restrict file access only to registered users. To do that, the administrator should remove “Everyone” permissions from the PUBLIC folder. This will ask the users to login when they try to access the folder.

  • Login to the web administration interface
  • Access File Sharing tab
  • Press Update Security Settings
  • Pick PUBLIC share to change and then press Next
  • Set Everyone permissions to None
  • Access the PUBLIC from the client machine using \\DEVICE_NAME\PUBLIC (where DEVICE_NAME may by the IP or the NAME of your MYBOOK)

The user is asked to login before accessing the data.

  • Restart the device (by pressing the restart button or executing reboot command in shell)
  • Access the PUBLIC from the client machine using \\DEVICE_NAME\PUBLIC

The user is allowed to access any file without the login prompt

<note tip>Update 04-05-2008:
The BUG was fixed in newer firmware versions greater than 02.00.00</note>

CAUSE

The boot process executes a series of scripts that will override the administrator settings:

  • All SNN scripts in /etc/init.d/ folder are called at the boot (where NN is a number)
  • The script S27shares-cleanup calls /usr/www/lib/removeExternalShares.pl to remove any not existing external shares (ex: USB drives)
/usr/local/bin/perl -I /usr/www/lib /usr/www/lib/removeExternalShares.pl
  • This contains calls to a Perl class used to handle samba configuration changes
use Service::Shares;
Service::Shares->deleteAllExternal();
  • The class file /usr/www/lib/Service/Shares.pm defines the method createDefault()
sub createDefault {
  # Create the default 'Public' share
  my $class=shift;
  my $name=nasCommon->public_sharename;
 
  # create a defoult share if it doesn't exist and make it writable
  # Also, the data volume has to be available (mounted)
  #
  my $s=new Service::Storage( nasCommon->storage_volume );
  if ( (! -w nasCommon->public_share) && $s->data_volume_available()) {
  	sudo("$nbin/mkdir.sh ".nasCommon->public_share);
  	sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share);
  	sudo("$nbin/chmod.sh 775 ".nasCommon->public_share);
  }
 
  # Open or create the shares.inc file
  my $smbConf = $class->open( nasCommon->shares_inc );
 
  # First, delete existing Public share, just in case	
  $smbConf->DeleteSection( $name );
 
  # Create the new share
  $smbConf->AddSection( $name );
 
  # Get the list of all users
  my $users=$class->findAllUsers();
 
  # Set up its parameters
  $smbConf->newval( $name, 'path', nasCommon->public_share );
  $smbConf->newval( $name, 'force user', nasCommon->share_guest );
#  $smbConf->newval( $name, 'guest only', 'Yes');
#  $smbConf->newval( $name, 'writeable', 'Yes');
#  $smbConf->newval( $name, 'guest ok', 'Yes' );
  $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
  $smbConf->newval( $name, 'write list',  join(' ',nasCommon->share_guest,keys( %{$users})));
  $smbConf->newval( $name, 'guest ok', 'Yes' );;
 
  # Write the file
  $smbConf->RewriteConfig;
 
  # Make sure the directory exists
  mkdir nasCommon->public_share;
}
  • The default parameter set by this method for the PUBLIC folder share are saved in /var/oxsemi/shares.inc
[PUBLIC]
path=/shares/internal/PUBLIC
force user=www-data
valid users=www-data user1 user2
write list=www-data user1 user2
guest ok=Yes
  • At the end of the boot proccess, /etc/init.d/S30network is executed; that will start all network services including samba
  • Samba server will read the configuration setting from the files located in /var/oxsemi/

The configuration for the PUBLIC folder translates in:

  • the path of the folder is /shares/internal/PUBLIC
  • for every new file or folder default owner is www-data
  • allowed users to read files and folders are www-data, user1 and user2
  • allowed users to write/delete files and folders are www-data, user1 and user2
  • allow non registered users

FIX

<note tip>This solution assumes that you've installed SSH access. A small tutorial is available at WD MyBook World Edition Hack.</note>

To fix this issue, we recommend changing the source code of createDefault() method in /usr/www/lib/Service/Shares.pm

  • comment lines 222 to 224
  • add updated previous lines
#  $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
#  $smbConf->newval( $name, 'write list',  join(' ',nasCommon->share_guest,keys( %{$users})));
#  $smbConf->newval( $name, 'guest ok', 'Yes' );;
  $smbConf->newval( $name, 'valid users', join(' ',keys( %{$users})));
  $smbConf->newval( $name, 'write list',  join(' ',keys( %{$users})));

The final body of the method is:

sub createDefault {
  # Create the default 'Public' share
  my $class=shift;
  my $name=nasCommon->public_sharename;
 
  # create a defoult share if it doesn't exist and make it writable
  # Also, the data volume has to be available (mounted)
  #
  my $s=new Service::Storage( nasCommon->storage_volume );
  if ( (! -w nasCommon->public_share) && $s->data_volume_available()) {
  	sudo("$nbin/mkdir.sh ".nasCommon->public_share);
  	sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share);
  	sudo("$nbin/chmod.sh 775 ".nasCommon->public_share);
  }
 
  # Open or create the shares.inc file
  my $smbConf = $class->open( nasCommon->shares_inc );
 
  # First, delete existing Public share, just in case	
  $smbConf->DeleteSection( $name );
 
  # Create the new share
  $smbConf->AddSection( $name );
 
  # Get the list of all users
  my $users=$class->findAllUsers();
 
  # Set up its parameters
  $smbConf->newval( $name, 'path', nasCommon->public_share );
  $smbConf->newval( $name, 'force user', nasCommon->share_guest );
#  $smbConf->newval( $name, 'guest only', 'Yes');
#  $smbConf->newval( $name, 'writeable', 'Yes');
#  $smbConf->newval( $name, 'guest ok', 'Yes' );
#  $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
#  $smbConf->newval( $name, 'write list',  join(' ',nasCommon->share_guest,keys( %{$users})));
#  $smbConf->newval( $name, 'guest ok', 'Yes' );;
  $smbConf->newval( $name, 'valid users', join(' ',keys( %{$users})));
  $smbConf->newval( $name, 'write list',  join(' ',keys( %{$users})));
 
  # Write the file
  $smbConf->RewriteConfig;
 
  # Make sure the directory exists
  mkdir nasCommon->public_share;
}

RESULTS

Security settings for the PUBLIC folder will reset to a more secure state (compared to the default one) with every reboot. Now, all users are asked to login first before accessing any file in the folder. The resulted samba configuration file /var/oxsemi/shares.inc is

[PUBLIC]
path=/shares/internal/PUBLIC
force user=www-data
valid users=user1 user2
write list=user1 user2
devices/mybookworld/public.txt · Last modified: 2008/05/04 09:03 (external edit)