speeding_ant Posted February 2, 2011 Share Posted February 2, 2011 Found a security bug with AFP and TimeMachine exports. If you export a share via AFP (time machine enabled) as Private, with guest as username set to no access, the OS will connect as guest (being a valid user) but will still show the share. Quote Link to comment
limetech Posted February 2, 2011 Author Share Posted February 2, 2011 Ran into a few issues getting unRAID 5.0 b3 working on my Slackware Current distro install. I know it's not directly supported, but considering the other issues with drive detection, I thought perhaps it might be related or something to consider when contemplating how to fix this. The main issue seems to be in it not detecting the drives on the LSI1068E controller. It seems to be related to the absolute lack of /dev/disk/by-path entries for the SAS entries. The drives do show up under /dev/disk/by-id. They are /dev/sdg and /dev/sdh respectively. This is on Slackware Current with udev-165-2; I tried reverting down to udev-164-4, udev-164-3, and udev-164-2 without any luck. Right, SAS support for /dev/disk/by-path was dropped when the author of udev changed a number of helper scripts to C code. There is a patch for this that I applied for 5.0-beta2 and -beta3. However... there are yet more problems with udev-generated /dev/disk/by-path entries, which is causing all the problems being reported in this thread about missing/disappearing/reappearing drives. So I have JUNKED the method of looking at /dev/disk/by-path and instead am using sysfs (/sys/dev/block/*) to generate persistent disk paths. The code is written and I'm testing now, and hopefully -beta4 tomorrow (Wednesday), well I see it's already Wed, so today sometime Quote Link to comment
limetech Posted February 2, 2011 Author Share Posted February 2, 2011 Found a security bug with AFP and TimeMachine exports. If you export a share via AFP (time machine enabled) as Private, with guest as username set to no access, the OS will connect as guest (being a valid user) but will still show the share. Does this happen only if export set to "Yes (Time Machine)" vs just "Yes"? Quote Link to comment
upthetoon Posted February 2, 2011 Share Posted February 2, 2011 The code is written and I'm testing now, and hopefully -beta4 tomorrow (Wednesday), well I see it's already Wed, so today sometime As beta 4 is already on the roadmap as a feature release and will probably have been referred to elsewhere in the forums would it be easier to call it beta 3.1? Looking forward to giving this a go Quote Link to comment
speeding_ant Posted February 2, 2011 Share Posted February 2, 2011 Found a security bug with AFP and TimeMachine exports. If you export a share via AFP (time machine enabled) as Private, with guest as username set to no access, the OS will connect as guest (being a valid user) but will still show the share. Does this happen only if export set to "Yes (Time Machine)" vs just "Yes"? Only if I set it to Yes (Time Machine) Cheers! Quote Link to comment
BRiT Posted February 2, 2011 Share Posted February 2, 2011 Right, SAS support for /dev/disk/by-path was dropped when the author of udev changed a number of helper scripts to C code. There is a patch for this that I applied for 5.0-beta2 and -beta3. However... there are yet more problems with udev-generated /dev/disk/by-path entries, which is causing all the problems being reported in this thread about missing/disappearing/reappearing drives. So I have JUNKED the method of looking at /dev/disk/by-path and instead am using sysfs (/sys/dev/block/*) to generate persistent disk paths. The code is written and I'm testing now, and hopefully -beta4 tomorrow (Wednesday), well I see it's already Wed, so today sometime Yeah, you've got to love that "return NULL;" implementation of handle_scsi_sas method inside path_id back in version 143 or higher of udev. I'm sorry to hear about the grief you've had to go through with it. I learned more about udev and it's history than I could care for. At least during part of this process I cut out quite a few kernel modules I have no use for. Quote Link to comment
glenarama Posted February 2, 2011 Share Posted February 2, 2011 Am testing this build on a heterogeneous network - AFP seems to be working well but I have a couple of questions. Time machine doesn't appear to be seeing the shared folder. I simply added a user share and set AFP with time machine on. Now I have both SMB and AFP shares - does anyone know of a way to prevent the finder showing the duplicate SMB share? I guess disabling bonjour broadcasting of it would be what im looking for. Quote Link to comment
limetech Posted February 2, 2011 Author Share Posted February 2, 2011 Found a security bug with AFP and TimeMachine exports. If you export a share via AFP (time machine enabled) as Private, with guest as username set to no access, the OS will connect as guest (being a valid user) but will still show the share. Does this happen only if export set to "Yes (Time Machine)" vs just "Yes"? Only if I set it to Yes (Time Machine) Cheers! You're saying if you create a user on unRaid named "guest", and you have a Private share exported with Time Machine support, but in the user access list you specifically say "guest" has "no-access", if you log into the unRaid server via Finder as "guest access" that you can see the share? If so, can you also access the share? If answer to first question is "yes" this is bug in netatalk (do you need to create a user named "guest"?). Quote Link to comment
limetech Posted February 2, 2011 Author Share Posted February 2, 2011 Am testing this build on a heterogeneous network - AFP seems to be working well but I have a couple of questions. Time machine doesn't appear to be seeing the shared folder. I simply added a user share and set AFP with time machine on. speeding_ant says it works.. see if it works for you as a disk share vs. user share. Now I have both SMB and AFP shares - does anyone know of a way to prevent the finder showing the duplicate SMB share? I guess disabling bonjour broadcasting of it would be what im looking for. Yes this will be fixed. Quote Link to comment
JarDo Posted February 2, 2011 Share Posted February 2, 2011 can I down grade back to 4.7? If you saved a backup of all files you modified/moved/deleted during the 'upgrade' process then yes you can. I had to go back because I could not access the web interface with this version. I simply reversed the 'upgrade' process by restoring my backed-up files and I'm up and running again with v4.7. Quote Link to comment
speeding_ant Posted February 2, 2011 Share Posted February 2, 2011 Found a security bug with AFP and TimeMachine exports. If you export a share via AFP (time machine enabled) as Private, with guest as username set to no access, the OS will connect as guest (being a valid user) but will still show the share. Does this happen only if export set to "Yes (Time Machine)" vs just "Yes"? Only if I set it to Yes (Time Machine) Cheers! You're saying if you create a user on unRaid named "guest", and you have a Private share exported with Time Machine support, but in the user access list you specifically say "guest" has "no-access", if you log into the unRaid server via Finder as "guest access" that you can see the share? If so, can you also access the share? If answer to first question is "yes" this is bug in netatalk (do you need to create a user named "guest"?). Cheers Tom, spot on. Apologies for poor english, few beers after a busy day of work!! I'll just remove the guest user, simple solution. TimeMachine backup finished, and has done a few incrementals over the last few hours without any issue. Quote Link to comment
glenarama Posted February 2, 2011 Share Posted February 2, 2011 Am testing this build on a heterogeneous network - AFP seems to be working well but I have a couple of questions. Time machine doesn't appear to be seeing the shared folder. I simply added a user share and set AFP with time machine on. speeding_ant says it works.. see if it works for you as a disk share vs. user share. Turning on a disk share did not help - i did find some strange behaviour - Flash only has an SMB share option - Though turning it on enables AFP. The SMB share of flash remained even after turning the flash SMB share off. For disk1 the SMB control seems to turn on and off both SMB and AFP - the AFP share option has no effect. rebooting the mac fixed this. Temporarily - switching shares between SMB and AFP quickly gets things into a state of confusion where SMB sharing alters both. Im now seeing this for both user and disk shares. Rebooting the server fixes things util you start flipping options back and forth a little. I still however - cannot get time machine to see a drive - ill try a quick reboot of the mac now that AFP is active on the server and report back. rebooting the mac did not help. Quote Link to comment
EdgarWallace Posted February 2, 2011 Share Posted February 2, 2011 I moved to 5.03b because of the AFP support (..a huge THANK YOU). Quick summary: I had to a assign all drives (a screenshot from the 4.7 config is very helpful) I´m able to access all shares The caveat is that I have the same access issues as peter_sm. After reboot it works just fine but after a while I´m see the same picture that he attached. Some more updates. I removed some more line from the GO file. Here is the old one: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & # # unMENU echo "/boot/unmenu/uu" | at now + 1 minute # cd /boot/packages && find . -name '*.auto_install' -type f -print | sort | xargs -n1 sh -c # # Powerbutton clean shutdown CTRLALTDEL=yes installpkg /boot/packages/powerdown-1.02-noarch-unRAID.tgz [ -f /sbin/powerdown ] && mv /usr/local/sbin/powerdown /usr/local/sbin/unraid_powerdown [ -f /sbin/powerdown ] && sed -i "sX/usr/local/sbin/powerdownX/sbin/powerdownX" /etc/acpi/acpi_handler.sh [ ! -f /usr/local/sbin/unraid_powerdown ] && sed -i "sX/sbin/init 0X/sbin/powerdownX" /etc/acpi/acpi_handler.sh sysctl -w kernel.poweroff_cmd=/sbin/powerdown ..and here is the new one: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & Here are the things working now after the cleanup and a reboot in addition to those mentioned in my previous post: I have full access to the webinterface SMB, AFP is working fine So either unMenu or the Clean Powerdown Script is the delinquent. One issue that was also discovered here is that the webinterface just die as soon as I add NFS to one of my shares. The question I have if what should be removed if you are one of those guy's who used: HOW-TO: AFP announced over Avahi: http://lime-technology.com/forum/index.php?topic=4521.0 and: HOW-TO : Samba announced over Avahi: http://lime-technology.com/forum/index.php?topic=4173.0 I just removed the respective line from the GO file and I guess that the installed files are not an issue. Avahi: libcap-2.14-i486-1.tgz dbus-1.2.6-i486-1.tgz gcc-4.2.4-i486-1.tgz avahi-0.6.25-i486-1as.tgz /boot/configfiles/samba.service Netatalk: netatalk-2.0.5-i486-1pur.txz /boot/config/afp/netatalk/* /boot/config/afp/avahi/* /boot/config/afp/etc/* Are the config files causing any trouble? I think so as Timemachine is not working. afpd.conf afppasswd netatalk.conf AppleVolumes.default AppleVolumes.system atalkd.conf netatalk.conf papd.conf afpd.service passwd shadow Quote Link to comment
BRiT Posted February 2, 2011 Share Posted February 2, 2011 The question I have if what should be removed if you are one of those guy's who used: HOW-TO: AFP announced over Avahi: http://lime-technology.com/forum/index.php?topic=4521.0 and: HOW-TO : Samba announced over Avahi: http://lime-technology.com/forum/index.php?topic=4173.0 Remove anything and everything you customized by following that HOW-TO. Everything should now be native and included in unRAID 5.0 beta 3. Let unRAID itself handle it. If it doesn't do something correctly, then report it as a bug. There should be no need for those addons. The upgrade process said to delete the passwd/shadow/smbpasswd files. I'm guessing in your case you should start with none of the additional configuration files from a previous install, likely meaning the following files: # afpd.conf # afppasswd # netatalk.conf # AppleVolumes.default # AppleVolumes.system # atalkd.conf # netatalk.conf # papd.conf # afpd.service The only config file you should have at the start is your network.cfg/share.cfg/disk.cfg/ident.cfg/super.dat/*.key and the config/shares/ directory. Quote Link to comment
RobJ Posted February 2, 2011 Share Posted February 2, 2011 I've followed all the instructions from the OP and upgraded to this latest beta from 4.7, but I am unable to access the UnRaid WEB GUI. You probably saw the following post, but just in case ... http://lime-technology.com/forum/index.php?topic=10660.msg101427#msg101427 Quote Link to comment
peter_sm Posted February 2, 2011 Share Posted February 2, 2011 Hi, More about NFS.. Everytime I add NFS to one of my shares , the webinterface just die, solution I do is remove the share config file in the /boot/config/shares, then restart "emthp" then the web interface is OK, so this looks like exactly the same issue I have in 4.6, but that issue solved TOM :-) See my attached logs in previuse post :-9 //Peter Is it going to be a new beta with a NFS fix soon? if not I can easily go back to 4.7. BR Peter Quote Link to comment
peter_sm Posted February 2, 2011 Share Posted February 2, 2011 One more thing, I have all my hidden disk shares connected on my Windows 7 machine, but when I click on one share I don't have any permissin to browse these, my flash disk is OK from windows. Any one else see this ? or am I doing something wrong? BR Peter Quote Link to comment
EdgarWallace Posted February 2, 2011 Share Posted February 2, 2011 Remove anything and everything you customized by following that HOW-TO. Everything should now be native and included in unRAID 5.0 beta 3. Let unRAID itself handle it. If it doesn't do something correctly, then report it as a bug. There should be no need for those addons. The upgrade process said to delete the passwd/shadow/smbpasswd files. I'm guessing in your case you should start with none of the additional configuration files from a previous install, likely meaning the following files: # afpd.conf # afppasswd # netatalk.conf # AppleVolumes.default # AppleVolumes.system # atalkd.conf # netatalk.conf # papd.conf # afpd.service The only config file you should have at the start is your network.cfg/share.cfg/disk.cfg/ident.cfg/super.dat/*.key and the config/shares/ directory. Thanks BRiT - will do. For a clean system I´m going to delete the following files from /boot/packages as well as these were all needed in the two HOW-TO's: * libcap-2.14-i486-1.tgz * dbus-1.2.6-i486-1.tgz * avahi-0.6.25-i486-1as.tgz * netatalk-2.0.5-i486-1pur.txz Unfortunately something was going wrong with the last reboot. Because of lack of unMENU I tried to reboot via keyboard ALT-CTL-DEL. Didn´t worked instead the server came up with a parity check; still running and no webinterface access. I even can't restart emhttp: root@Tower:/boot# /usr/local/sbin/emhttp & [1] 1683 root@Tower:/boot# ps PID TTY TIME CMD 1462 pts/0 00:00:00 bash 1734 pts/0 00:00:00 ps [1]+ Segmentation fault /usr/local/sbin/emhttp Is there any way to prevent that NFS is being startet with the next reboot? Maybe by edit share.cfg shareNFSEnabled="yes" to shareNFSEnabled="no" ? Quote Link to comment
limetech Posted February 2, 2011 Author Share Posted February 2, 2011 Is it going to be a new beta with a NFS fix soon? if not I can easily go back to 4.7. BR Peter Yes later today. Quote Link to comment
CHBMB Posted February 2, 2011 Share Posted February 2, 2011 One more thing, I have all my hidden disk shares connected on my Windows 7 machine, but when I click on one share I don't have any permissin to browse these, my flash disk is OK from windows. Any one else see this ? or am I doing something wrong? BR Peter Yes, I had this problem too, has taken me ages to find out what the problem was! Finally stumbled on it more by accident than design. Navigate to your network in Windows 7, and double click on tower, you should be able to see your shares. Right click on any that aren't accessible, and select properties, then click on the DFS tab, then the clear history button. All should be fine after that. (I have no security on any of my UnRAID shares at the moment.) My question is... Is S3 sleep supported in UnRaid 5, is the proc\acpi command been replaced with the cat state one? Was trying to get S3 working in 4.7 but was having a few problems. Thought I'd try the 5 beta but now the button in UnMENU doesn't even work. Quote Link to comment
peter_sm Posted February 2, 2011 Share Posted February 2, 2011 One more thing, I have all my hidden disk shares connected on my Windows 7 machine, but when I click on one share I don't have any permissin to browse these, my flash disk is OK from windows. Any one else see this ? or am I doing something wrong? BR Peter Yes, I had this problem too, has taken me ages to find out what the problem was! Finally stumbled on it more by accident than design. Navigate to your network in Windows 7, and double click on tower, you should be able to see your shares. Right click on any that aren't accessible, and select properties, then click on the DFS tab, then the clear history button. All should be fine after that. (I have no security on any of my UnRAID shares at the moment.) My question is... Is S3 sleep supported in UnRaid 5, is the proc\acpi command been replaced with the cat state one? Was trying to get S3 working in 4.7 but was having a few problems. Thought I'd try the 5 beta but now the button in UnMENU doesn't even work. It looks like the S3 is not in this build, Tom can you add that on next revision? like 4.7 And I also see that the UPS package is not working ... Se below, I have the UPS connected on my USB port UPS Status (from /sbin/apcaccess status) Error contacting host localhost port 3551: Connection refused And thanks for the new release later yoday :-) Great JOB with version 5, TOM Quote Link to comment
CHBMB Posted February 2, 2011 Share Posted February 2, 2011 This is what I've got under the APC info is UNmenu UPS Status (from /sbin/apcaccess status) APC : 001,036,1061 DATE : Wed Feb 02 16:26:49 Local time zone must be set--see zic manual page 2011 HOSTNAME : Server RELEASE : 3.14.3 VERSION : 3.14.3 (20 January 2008) slackware UPSNAME : Server CABLE : Custom Cable Smart MODEL : Back-UPS ES 700G UPSMODE : Stand Alone STARTTIME: Wed Feb 02 16:16:39 Local time zone must be set--see zic manual page 2011 STATUS : ONLINE LINEV : 236.0 Volts LOADPCT : 49.0 Percent Load Capacity BCHARGE : 100.0 Percent TIMELEFT : 12.5 Minutes MBATTCHG : 10 Percent MINTIMEL : 5 Minutes MAXTIME : 120 Seconds SENSE : Medium LOTRANS : 180.0 Volts HITRANS : 266.0 Volts ALARMDEL : Always BATTV : 13.6 Volts LASTXFER : Unacceptable line voltage changes NUMXFERS : 0 TONBATT : 0 seconds CUMONBATT: 0 seconds XOFFBATT : N/A STATFLAG : 0x07000008 Status Flag MANDATE : 2010-10-08 SERIALNO : 5B1041T28900 BATTDATE : 2000-00-00 NOMINV : 230 Volts NOMBATTV : 12.0 Volts FIRMWARE : 871.O2 .I USB FW:O2 APCMODEL : Back-UPS ES 700G END APC : Wed Feb 02 16:27:24 Local time zone must be set--see zic manual page 2011 Quote Link to comment
CHBMB Posted February 2, 2011 Share Posted February 2, 2011 Oh Peter, Did the Windows 7 trick work for you? Was your problem the same as mine? ATB Neil Quote Link to comment
peter_sm Posted February 2, 2011 Share Posted February 2, 2011 Oh Peter, Did the Windows 7 trick work for you? Was your problem the same as mine? ATB Neil Hmmm, I cant find the DFS Quote Link to comment
CHBMB Posted February 2, 2011 Share Posted February 2, 2011 Here's a screenshot of mine. But just checked and you're right there is no DFS tab on my music share. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.