Many people have
lost root access to their Seagate Centrals after a particular firmware upgrade.
Here I attempt to provide a procedure to recover root access that is as painless as
possible. Note that there are a few alternative procedures posted elsewhere
on the internet however my procedure has the advantage over the others that it
does NOT require access to an external linux system because it makes use of the
linux software running on the Seagate Central itself. It also does NOT require you to crack open the Central and take out the hard drive.
I'm assuming that
you have a little bit of pre-requisite knowledge before we begin. Namely …
- You know how to
establish an ssh session into your Seagate Central (If you don't then why do
you want root access?)
- You know how to
transfer files between your external computer and your Seagate Central. (If you
don't then what are you using a Seagate Central for??)
- You understand a few
basic computer file concepts like "files", "directories",
"copying", "zipping" and "editing". (If you don't
then, Hello there Grandma Jones! I'm thrilled that you're reading my blog!!)
Part 1 : Try to revert to the "old"
firmware.
If you
have a non blank root password, and if the previously running firmware on your
Seagate Central did have sudo/root access enabled then first try the procedure in
the previous blog post called "Revert to previous firmware on Seagate Central" and then proceed to "Part 3 : Make sure root access is enabled from now on". If reverting to the old firmware doesn't work then proceed to Part 2 below.
Part 2 - Create then
load a modified firmware image
In this part we are
going to take a Seagate Central firmware image, modify it to remove the
"su" disabling functionality, and then load it
back onto the Central. Our friends at Seagate might be somewhat alarmed by this
step but I hope they come to the
conclusion that anyone who is technically literate enough to perform this
procedure is probably trustworthy enough
to de
serve "su" access to their beloved Central. In addition I think the spirit of the GNU General Public Licences which Seagate uses extensively for software in the Central product means that the software should be able to be improved and modified which is what we're doing here.
Note this procedure
involves running a number of linux/unix commands. I have developed this method
on the assumption that we are going to perform this procedure using the linux
system running on the Central itself. You can use an external linux box to perform
these steps however I think that for many people who have a Seagate Central,
the Central may be the only linux system they have easy access to!! That is why
this technique makes use of the Central itself and not an external system.
Step 1 : ssh into
the Seagate Central. In this procedure I use the "admin" account but
you can use any existing username you've set up on the system.
Create a new
directory to perform our procedure in and navigate to that directory. In this
example we create a new directory called "firmware".
admin@Seagate-5A4B6C:~$
mkdir firmware
admin@Seagate-5A4B6C:~$
cd firmware
admin@Seagate-5A4B6C:~/firmware$
Step 2 : Obtain a
copy of your desired version of Seagate Central Firmware and upload it to the
new folder on the Central.
I got my firmware by
navigating to the Seagate Download finder tool at
https://apps1.seagate.com/downloads/request.html
and entering the required details. You need to enter your Seagate
Central's serial number and what country you live in and then you'll be given a download link.
In
the example shown here I downloaded a file called Seagate-HS-update-201509160008F.zip
. You have to decompress/unzip this file to get an "img" file. You
can do this on the PC you downloaded the file to and then transfer the
"img" file to the new "firmware" folder on the Seagate
Central or you can upload the zip file to the new "firmware" folder
on the Seagate Central and decompress it on the Central.
admin@Seagate-5A4B6C:~/firmware$
unzip Seagate-HS-update-201509160008F.zip
Archive: Seagate-HS-update-201509160008F.zip
inflating: ReadMe.pdf
inflating:
Seagate-HS-update-201509160008F.img
Confirm that the
image is in the "firmware" folder.
admin@Seagate-5A4B6C:~/firmware3$
ls -l *.img
-rw-r--r--
1 admin admin 130199138 Nov 17 21:52 Seagate-HS-update-201509160008F.img
Step 3 : Obtain a
copy of the squashfs-tools for Seagate Central.
I have compiled
binary versions of these tools (version 4.3) for the Seagate Central and made
them available at the following links
If you
don't trust my binaries (I swear I stopped spying for North Korea months ago)
and want to make them yourself then you can obtain the source code from the
squashfs-tools homepage at http://squashfs.sourceforge.net/ . You can also find instructions
for compiling binaries for the Seagate Central using an external linux system
at https://sites.google.com/site/modcentralnas/ .
You can use your external PC to obtain these binaries and then upload them to your Central or if your Seagate
Central has internet access then you can download the files directly to the Central by
running the "curl" commands as follows.
admin@Seagate-5A4B6C:~/firmware$
curl -L -O https://sites.google.com/site/seagatecentralenhancementclub/squashfs-tools/mksquashfs
% Total
% Received % Xferd Average
Speed Time Time
Time Current
Dload Upload
Total Spent Left
Speed
100 343k
100 343k 0
0 60087 0
0:00:05 0:00:05 --:--:-- 288k
admin@Seagate-5A4B6C:~/firmware$
curl -L -O https://sites.google.com/site/seagatecentralenhancementclub/squashfs-tools/unsquashfs
% Total
% Received % Xferd Average
Speed Time Time
Time Current
Dload Upload
Total Spent Left
Speed
100 257k
100 257k 0
0 48704 0
0:00:05 0:00:05 --:--:-- 299k
Now change the
attributes of the files so that they are executable
admin@Seagate-5A4B6C:~/firmware$
chmod a+x mksquashfs
admin@Seagate-5A4B6C:~/firmware$
chmod a+x unsquashfs
Note : If you are
performing this procedure on an external Linux system instead of on the Central
then you'll have to get the version of the
squashfs-tools for your particular linux distribution. You can't run the
binaries seen above, they only work on the Seagate
Central.
Step 4 : The Seagate
firmware image is in gzipped tar format. Decompress the image with the
following "tar" command. This takes about 30 seconds to complete.
admin@Seagate-5A4B6C:~/firmware$
tar -zxpvf Seagate-HS-update-201509160008F.img
rfs.squashfs
uImage
config.ser
Step 5 : Extract the
new firmware's filesystem.
Here we use the
unsquashfs tool you downloaded in Step 3 to extract the file system contained in the
Seagate firmware image. Note that this can
take about 500M of disk space! This takes about 2 minutes to complete.
admin@Seagate-5A4B6C:~/firmware$
./unsquashfs rfs.squashfs
You may see some
error messages similar to the following. Just ignore them.
create_inode: could
not create character device squashfs-root/dev/apm_bios, because you're not
superuser!
You should now have
a new directory called "squashfs-root" in your firmware folder. This
contains the new filesystem that we are going to
modify.
Step 6 : On many
linux systems, including the Seagate Central, access to the "su"
command is governed by the "/etc/pam.d/su" configuration file.
In the new Seagate
Central firmware there is a section in this file which disables "su"
access for regular users as follows…
# Uncomment this if
you want members of a specific group to not
# be allowed to use
su at all.
auth required pam_wheel.so deny group=users
We need to re-enable
root access for normal users by editing this file in the new firmware. Here we use the
"nano" editor as follows.
admin@Seagate-5A4B6C:~/firmware$
nano squashfs-root/etc/pam.d/su
Once the editor is
open scroll down about 20 lines to the text as seen above and add a
"#" to the start of the "auth
required" line to comment it out and disable it. After making the change the section looks like this
# Uncomment this if
you want members of a specific group to not
# be allowed to use
su at all.
#auth required pam_wheel.so deny group=users
Save
your changes by typing Control-X to exit, then answering "Y" when
you're asked to "Save modified buffer" and pressing enter to confirm
the "File Name to Write".
Step 7 : If you have
a blank root password the new firmware will reset it to a secret value each
time the system boots with the startup
script "/etc/init.d/finish"
Here we will change this behaviour so that instead of using a secret value, we use a known value. In this example we set the root password to "test123". Obviously change "test123" to something unique for your system. We edit the "finish" startup script as follows
admin@Seagate-5A4B6C:~/firmware$
nano squashfs-root/etc/init.d/finish
Once the editor is
open scroll to the very bottom of the file and add the following lines to the
end of the file.
# Is the root
password set as blank?
if grep -q
"^root:x:" /etc/passwd
then
# Change the root
password to test123.
echo "root:test123" | chpasswd
# Make sure the
changes are in the Central's backup config folder.
rsync -Rva /etc/passwd /usr/config/backupconfig
fi
Save
your changes by typing Control-X to exit, then answering "Y" when
you're asked to "Save modified buffer" and pressing enter to confirm
the "File Name to Write".
N.B. You might think it's a bit insecure setting the root password to a value just specified in a script file. Well it is! That's why in Step 10 we change the root password again to something else.
Step 7.5 : Make sure that the
"sudo" and "su" commands have the correct unix file
attributes.
In some versions of
Seagate Central firmware the "sudo" and "su" commands do
not have the required "read" and "set userID" file attributes
set.
This isn't the case
in all versions of firmware but just to make certain run the following
commands.
admin@Seagate-5A4B6C:~/firmware$
chmod 4555 squashfs-root/usr/bin/sudo
admin@Seagate-5A4B6C:~/firmware$
chmod 4555 squashfs-root/usr/bin/su
To check that the
changes have taken affect run the following "ls" commands and check
that the "r" (readable) and "s" (set userID) bits as seen below are present for
each file.
admin@Seagate-5A4B6C:~/firmware$ ls -l squashfs-root/usr/bin/su
-r-sr-xr-x 1 admin admin 23692 Sep 17 09:06 squashfs-root/usr/bin/su
admin@Seagate-5A4B6C:~/firmware$ ls -l squashfs-root/usr/bin/sudo
-r-sr-xr-x 1 admin admin 87316 Sep 17 09:06 squashfs-root/usr/bin/sudo
Step 8 : Run the
following commands to create a new firmware image called
Seagate-allow-root.img. Note that the first command (mksquashfs) takes about
5 minutes and the second (tar) takes about 3 minutes to complete. Also note that we
are using the least powerful compression-level (1) in the mksquashfs command
because this lets the command run most quickly. You can use any number up to the
most powerful compression level "9" however the command could then
potentially take hours to run for the sake of saving maybe only a few
megabytes.
admin@Seagate-5A4B6C:~/firmware$
./mksquashfs squashfs-root rfs.squashfs -all-root -noappend -Xcompression-level
1
admin@Seagate-5A4B6C:~/firmware$
tar -cvzf Seagate-allow-root.img rfs.squashfs uImage config.ser
Step 9 : Upgrade the
Seagate Central with the new firmware.
First, and this bit
is optional, I'd suggest copying your newly created firmware,
"Seagate-allow-root.img", to your local PC harddrive. It will be about
140MB so if you don't want to use up the space then don't worry about it.
Next start the
upgrade procedure by logging in as admin to the Seagate Central management web page in your web browser, and navigating to the
"Settings" Tab, then the "Advanced "menu, then the
"Firmware Update" page.
From here click on
the "Browse" or "Choose file" button and in the file dialogue box that appears navigate to the new
software you've created "Seagate-allow-root.img". Now click on the
"Install" button and let the upgrade process commence. The management
web page should show a progress bar as the upgrade proceeds.
If
you like you can get a scrolling live log of the progress of the upgrade by running
the command "tail -f /var/log/syslog" in an
ssh session on the Central while the upgrade is occurring. Hit Control-C to stop viewing the log. Most of the output of the log is
useless but if you see something that is obviously indicative of an error or a
problem then perhaps you can cut and paste it and add it as a comment to this
blog post so we can take a look.
It took
the firmware upgrade on my test Central system about 30 minutes to complete. Also it seemed
to be stuck at the "86%" mark for ages according to the progress
meter on the management webpage.
Once the system has
booted up your new firmware should be running and you should have root access again.
Part 3 : Make sure root access is enabled from now on
Step 10 : If your root password has been changed to "test123" as per "Step 7" then you should change your root password to something else because any user can look at that /etc/init.d/finish script and see that the root password could be changed to that. Do this by logging in as root
and running the following commands.
Seagate-5A4B6C:~$
su root
Password: test123
Seagate-5A4B6C:/Data/admin#
passwd
Enter
new UNIX password: I-love-my-Central
Retype
new UNIX password: I-love-my-Central
passwd:
password updated successfully
Seagate-5A4B6C:/Data/admin#
cp /etc/passwd /usr/config/backupconfig/etc/
Seagate-5A4B6C:/Data/admin#
cp /etc/shadow /usr/config/backupconfig/etc/
Step 11 : Make sure
"su" is enabled from now on. Even after another firmware upgrade.
The Seagate Central
stores a backup of all it's important configuration files in the
"/usr/config/backupconfig" folder. Every time the
central boots up it copies the contents of this folder to the root filesystem.
If you want to see the details then have a look at the
"/etc/init.d/firmware-init-1bay" startup script on the Seagate
Central.
Incidentally this is
why some people complain that when they set a root password on the Central it
reverts to blank or the old password
after a reboot. You have to make sure that your password changes are reflected
in the "/usr/config/backupconfig" folder as well as
the normal locations otherwise they'll be overwritten on a reboot.
The way the new
Seagate Central firmware disables "su" access is by changing the
"/etc/pam.d/su" file. (See Step 6 for details)
At this point,
because we have root access now, we know that the system is using a version of
the "/etc/pam.d/su" file that works properly.
What we want to do
is copy this working version of "/etc/pam.d/su" to the
"/usr/config/backupconfig" folder so that each time the
Seagate Central boots up this "good" version of the file is restored
even if a firmware upgrade tries to modify it.
As root run the
following commands
Seagate-5A4B6C:~#
mkdir -p /usr/config/backupconfig/etc/pam.d
Seagate-5A4B6C:~#
cp /etc/pam.d/su /usr/config/backupconfig/etc/pam.d/
Note that from now
on if you decide to modify the "/etc/pam.d/su" file for any reason,
say to restrict "su" access to certain users, you'll have to remember
to copy the changes to the "/usr/config/backupconfig/etc/pam.d/su" file
as well otherwise your changes will be lost on reboot.
Conclusion
If you have
performed the procedures above but still can't get root access then please let
me know at what point things seemed to fail and any relevant details. I'm keen
to make this procedure work for everyone. In addition if you notice any errors, things that need correcting, or suggestions to improve this procedure then I'm keen to hear about that too.
Just to briefly mention, if things have failed there is yet another alternative. You can crack open the Central (goodbye warranty), take out the
hard drive and mount it on an external system, manually modify the files we
manipulated above (init.d/finish pam.d/su) as per the steps above, then put the drive back into the
Central. You can certainly do this with a linux system and possibly even a windows system (maybe). If there's anyone who needs a procedure to do that then let me know
and I'll try to write one up.
Finally there is one rather clever alternative procedure for creating the modified firmware as we did in Part 2. It makes use of an automated script running on an external linux system. You can find that here
Good luck!
Edit 3-Aug-2017 : Modified Part 3 Step 10 to add copying the "/etc/shadow" file to /usr/config/backupconfig/etc after you change your root password as well. SFAIC