Sunday, February 26, 2017

Simple OpenBSD File Server

These days, when people think of a file server, they assume that it must support Windows CIFS (a.k.a. SMB or Samba).  A few grizzled sysadmins know that NFS would be much, much simpler to set up and almost nobody would consider using FTP.

Well, that is too bad, since for many situations, anonymous FTP is best and it works purrfectly on my little OpenBSD netbook.

FTP is a very simple protocol, it only talks when it has to and is completely quiet otherwise.  It has none of the chattyness and incessant 'CACA' packets of CIFS.  It is extremely easy to set up and has native support in all operating systems.  Even Windows can do anonymous FTP transparently and can map a FTP server to a drive letter, thus enabling any program to connect to the server directly.

Some will speak up and say that FTP is insecure.  Well, yes, but so is NFS and CIFS.  The difference is that FTP doesn't even pretend to be secure.   The joke is that nowadays, since script kiddies are unfamiliar with FTP, it is more resistant to ransomware than CIFS.  BTW, don't use FTP with password authentication - the passwords are sent in the clear making it quite useless.

The Samba manual is about 2 inches thick, while the configuration file for a FTP server is only about a dozen lines.  Need I say more?

Consider that if a network file system is insecure, then it means that any naughty user can read/write/modify anything.  Samba has oodles of configuration features to control access.  These features are useless.  They only work with honest users who won't give you any trouble anyway and do nothing against naughty users.  All that these fancy features do, is make the system hard to set up and maintain!

When you have a home or office with ten or twenty users, who just need a centralized place to store data that can be regularly backed up and you don't want to waste any time managing it, then an anonymous FTP server could be ideal, since you don't have to waste any time with accounts, passwords and access controls.

Set it and forget it - KISS.

Configuration Frustrations

I installed vsftpd using pkg_add:
# pkg_add vsftpd

Simple as that.

In Linux, the package manager is different for each distribution, otherwise, it is the same idea.

Example Configuration File:
$ cat /etc/vsftpd.conf
anonymous_enable=YES
anon_root=/ftp/pub
local_enable=YES
write_enable=YES
anon_other_write_enable=YES
local_umask=0000
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=ftp
chown_upload_mode=0664
nopriv_user=_ftp
ftpd_banner=VsFTPd. Cool, eh?
chroot_list_enable=YES
chroot_list_file=/etc/ftpchroot
userlist_enable=YES
userlist_file=/etc/ftpusers
secure_chroot_dir=/var/empty
pasv_min_port=49152
pasv_max_port=65535
text_userdb_names=YES
listen=YES


The problem with setting up a FTP server is that the configuration for the server also depends on the local file system access restrictions (Ditto for Samba and NFS).

In an attempt to frustrate a hacker I run the server as an unprivileged user _ftp and make the directory tree owned by a different unprivileged user called ftp.  Ensure that these two users do not have a login shell.  Use /usr/sbin/false instead of bash or ksh.  You can run the script adduser to make these accounts if required.

The chown_upload_mode=0664 is a relatively new parameter. All the other older guides on the web don't show this option and this is the main reason why I wrote this guide.

When you specify:
anon_root=/ftp/pub
write_enable=YES
anon_other_write_enable=YES


Then this does nothing, so I set it to 0000 as a reminder:
local_umask=0000


and you instead need:
chown_upload_mode=0664

That took me a long while to figure out.

 

Directories and Permissions

I made a tree /ftp/pub/data like this:
# mkdir -p /ftp/ftp  
# mkdir -p /ftp/pub/data
# chown root:ftp /ftp/pub/data
# chmod 1777 /ftp/pub/data


That makes the data directory owned by root:ftp and sticky so that new files will inherit that ownership, irrespective of who uploaded the files, thus ensuring that anyone can download them again.

Test, Test, Test

Run the server in one console and log in from another console and transfer little test files.  Then log in from another computer and repeat. 
# vsftpd
(ok)

$ touch test1
$ touch test2
$ ftp localhost
Login: anonymous
Password: [Enter]
ftp> put test1
ftp> get test1

On BSD, see what is going on with tail - same idea, but a different log system on Linux though:
$ tail -f /var/log/vsftpd.log

It may take a while to work out the fat finger kinks.


Windows Mapping

Use the easy connect wizard in the Windows file browser (File, Map Network Drive, Map as Drive, Connect to a website..., Next, Choose...) to connect to the server using a URL like ftp://192.168.1.10 which will create a shortcut in the left pane which then works like any other network file share.

After installing a 128GB SD card for storage, I now have a little WiFi connected 'NAS' which is normally sleeping peacefully and when I need it, all I need to do is flip open its lid and wait about 5 seconds for it to wake up.


For questions, go to http://daemonforums.org.


-. --- / .-- .. -. -.. --- .-- ... --..-- / -. --- / -.-. .-. -.--

La voila!

Herman

Friday, February 3, 2017

OpenBSD on a Netbook

Recently, I got fed-up with the bloated Linux distributions and wanted to try something that is secure, small and efficient and downloaded OpenBSD 6.0 from Theo De Raadt's server in Calgary.  Since Calgary is actually my old home town - why not?


OpenBSD tries to be the most simple and secure UNIX system out of the box.  It is very much server oriented, but it can do anything and many architectures are supported just for fun. For example, Arm RPi and Beaglebone, Intel 32 and 64 bit and several more.  So OpenBSD is a good choice whether you want to build a server farm, a network router, or a robot.

I have an old little Lenovo S10e netbook that I threatened to toss away numerous times, but it doesn't want to break.  As I feel guilty about tossing something that works perfectly well in a bin, once in a while when I run short of resources, I end up using it again.  Last year, it was pressed into service as a Linux Mirror server to install a bunch of embedded computers.

So I dusted the Netbook off and readied it for a new Olde Skool UNIX experience...

Where to get OpenBSD

The last time I used OpenBSD was about 2004 - for web and mail servers in Calgary.  I certainly know Linux better, but my main machine is a Macbook Pro which runs a kind of BSD and the more things change, the more they stay the same.

Here you go: https://ftp.openbsd.org/pub/OpenBSD/6.0/

When I bought the netbook, I wanted something small that I could carry around easily and although the single core 32 bit Intel processor is slow as molasses with the original Windows 7 OS, it always ran Linux with the XFCE desktop quite well, but I wanted to see whether I can make it fly.

From the above list of files, download the install60.fs file if you want to use a USB memory stick as the install medium.

I made the mistake of not reading the INSTALL.i386 instructions and downloaded the ISO file, then wondered why it would not boot.  So, do go and read the INSTALL file.  Pretty much everything you need to know is in there!

Write the install60.fs file to a memory schtick using dd: http://www.aeronetworks.ca/2013/05/using-dd-on-mac-to-copy-iso-file.html

Install

The WiFi adaptor in this netbook never worked with Linux, so I didn't expect it to work with BSD.  I therefore plugged in a trusty little Edimax USB dongle (Ralink chip set) and hoped it would work.  OpenBSD recognized it and loaded the run driver, so the dongle showed up as run0 in ifconfig.

The OpenBSD installer is super simple and OpenBSD is even easier and quicker to install than Linux.  It just takes a few minutes.  So, plug the USB widget in and boot it, follow the very simple instructions and mostly just accept the defaults, till you get to the network configuration.  Be sure to type the correct information in for the WiFi adaptor if you are using one: You need to supply the SSID and password as a minimum.

Of course I fat fingered the password, so it could not connect.  The WiFi setup information is in a file called /etc/hostname.run0 and editing it later presented an interesting challenge, since I am severely vi impeded.  I had to read the vi man page to find out how to delete a character - really.

First boot

OpenBSD is a simple and clean system with no bells and whistles.  None.  Zilch.

When you boot up, you get a nice, self explanatory login prompt:
Login: herman
password
$

If you are freaked out by a $ prompt, then you either have to return your Geek Card, or read a UNIX book or three.

At that point, I had to go and fix the WiFi password first and then rebooted to see if it worked properly, but you can simply run startx to get a beautiful FVWM desktop, with a xterm and a clock on it - woohoo.

We have Country AND Western music!

The default install doesn't have much of anything for a laptop machine.  The vi editor, ssh and a ftp client are about it.  No web browser, not even links

Install a Package or Three

In order to make the netbook useful, I need a web browser and an editor that is more to my liking.

Packages are listed here: https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/i386/
(or https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ if you have a better machine!).

You can install the dillo web browser like this:
# pkg_add https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/i386/dillo-3.0.5p0.tgz

Dillo is quite a horrible little browser, but it sure is fast and much less clunky than links.  However, if you want something more full featured, install surf or luakit, which are both based on webkit and work with everything, including yootoob...

To preserve your sanity, add the path to the /root/.profile file:
# echo "export PKG_PATH=https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/i386/ >> /root/.profile"

and also export it so it will work immediately:
# export "PKG_PATH=https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/i386/"

(If you have a better 64 bit machine: echo export "PKG_PATH=https://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/">>/root/.profile)

After that you can simply run:
# pkg_add dillo
# pkg_add links 
# pkg_add surf
# pkg_add nano 
# pkg_add abiword
# pkg_add gnumeric
# pkg_add xournal
# pkg_add pdfshuffler
# pkg_add gimp
# pkg_add minicom
# pkg_add putty 
# pkg_add deadbeef
...

You can make that all one line of course, but I prefer getting error messages for one thing at a time, to preserve my sanity.

Utilities like ftp, ssh, telnet, netcat, tcpdump and more are installed by default, so with the above additions, I can do pretty much anything I would ever want to do on a Netbook.

Stop the Mail Daemon

I don't need the mail daemon on my teenie little netbook.  The mail daemon isn't actually doing much, but I prefer it doing nothing and save every processor cycle and byte of RAM that I can.

Services are controlled via the /etc/rc.conf and /etc/rc.conf.local files, with a utility called rcctl:
# rcctl stop smtpd
# rcctl disable smtpd

The result is:
# cat /etc/rc.conf.local
smtpd_flags=NO

Simple.

XFCE Desktop Environment

The FVWM desktop is nice and fast, but it is really only good for masochists.  My favourite light weight desktop is XFCE and installing it is just as simple as any other package.

The package manager pkg_add is quite smart, so you can install XFCE for a better laptop experience by simply running:
# pkg_add xfce 

You can then press Ctrl-Alt-Del to quit X and restart it with:
$ startx /usr/local/bin/startxfce4

Or, you can put exec /usr/local/bin/startxfce4 in ~/.xinitrc and then just run startx as usual and with a nice wintry themed wall paper the little Netbook looks quite cool now:


See this for more details: https://www.openbsd.org/faq/faq11.html

For OpenBSD 6.4, install xenodm, boot up with edit the .xsession file instead:
$ nano .xsession 
exec ck-launch-session startxfce4

Then reboot and when you log in, you get XFCE instead of the default FVWM..

Minor Niggles

With OpenBSD, there is no drama and most everything works.  If I close the lid, it sleeps, if I open it, it resumes.  Well, almost - the WiFi dongle didn't come back after a resume, so I needed to figure out how to resuscitate the run device driver and hook it into the resume process somewhere.

The OpenBSD FAQ (https://www.openbsd.org/faq/faq6.html#Wireless) eventually revealed the netstart command, which successfully restores the WiFi connection after a resume:
# sh /etc/netstart

I just needed to figure out where to hook netstart so it would be invoked automatically upon resume.

Advanced Power Management

The problem with the WiFi widget was that apmd was not running.  The Advanced Power Management service controls suspend and resume, processor speed and a few more things.
# rcctl get apmd
apmd_flags=NO

Configure and start apmd with:
# rcctl enable apmd
# rcctl start apmd
apmd(ok)

The result is:
# cat /etc/rc.conf.local
apmd_flags=
smtpd_flags=NO

According to the apmd man page the /etc/apm/resume program is run after resuming from standby, so that is the one where I need to put a call to /etc/netstart.

So I tried this:

# mkdir /etc/apm 

# nano /etc/apm/resume

and added the following:
#! /bin/sh
/etc/netstart

# chmod 755 /etc/apm/resume

Let's see if all is OK:
# rcctl stop apmd
# rcctl start apmd
apmd(ok)

Let's see if it works with the zzz command: 
# zzz
Suspending system...

and a few seconds later I type:
zzz
It resumes from its slumber.

However, it didn't seem to run the resume program.

Let's see what happened:
# tail /var/log/messages
apmd: failed to exec /etc/apm/resume: Exec format error

So, how now brown cow?

Eventually, I did two things to get it to work as explained below.  Don't ask me how I found these tricks, it is just years of experience with obstreperous embedded widgets coming to the rescue and a dogged determination to try various things till the hardware responds the way it should.

Make the netstart script executable, so I don't have to invoke a shell explicitly to run it:

# chmod +x /etc/netstart

Add a delay to the /etc/apm/resume script to give the USB widget time to load its firmware and let the magic fairy dust settle, before trying to configure it:
#! /bin/sh
sleep 1
/etc/netstart


Now I can make the netbook suspend and resume, the little green lights flash on the WiFi dongle and all is well, the whole universe shook, the BSD daemons sung and flowers fell down from the heavens...


Squash and Square the Web

British Prime Minister Harold Wilson said of the press:
If you can't squash them, square them 
and if you can't square them, squash them.

It is really only a couple hundred companies that are ruining the web for a couple billion people on the planet, so with even the littlest machine it is trivial to disable the culprits.

You can get a good /etc/hosts file to efficiently squash and square the rubbish on the wild wild web here:
https://github.com/StevenBlack/hosts

My little netbook now zooms like a much faster model, with no Windows, SELinux, systemd, advertisements or spyware to slow it down and now that Uncle Sam decided to ban laptops on board aircraft, this little one becomes the ideal machine to chuck into my luggage since nobody will steal what looks like a clunky old netbook!

Connect to Free WiFi Access Points

My WiFi setup is now automated for home use, but what if I travel and want to connect to free WiFi in McDonalds, or Vienna airport, or Cafe Nero, or.... ???

I solved this with a little script called mcdonalds - duh...
#! /bin/sh
ifconfig run0 nwid mcdonalds
dhclient run0

and ditto for the two or three other places I go to - good enough for me.

Play Internet Radio with deadbeef

On Linux, I use Streamtuner, a wonderful little application, but it doesn't have a BSD equivalent.  The solution is to run dillo and browse to http://www.internet-radio.com (39,520 radio stations!) however, I didn't have a music player installed yet, so:
# pkg_add deadbeef

Now when I run dillo and click a category on internet-radio, select a station, look at the left and download a playlist .pls file - save as - /home/herman/radio/whatever.pls  - thereafter, in the file browser simply double click the desired .pls file to play the radio station with deadbeef.

There is probably a way to get dillo to spawn deadbeef, but since I only ever listen to two or three radio stations, this is dead simple and now I actually can listen to Country and Western music - Och, my poor bleeding ears...

I then found that the speaker volume keys on the chicklet keyboard actually work too - neat!

OpenBSD on Virtualbox

If you are not quite ready to go bare metal, then you can install OpenBSD in Virtualbox, but since there is no Guest Additions for OBSD, you need to tweak things manually to get full screen operation.   

I actually prefer slightly smaller than full screen, so I can retain access to the host task manager bar more easily.  The easiest way to get the size right, is to take a screen shot by grabbing a rectangle, save the file and open it with a photo editor to see the dimensions.

There are are some weird limitations and  I could only get it to work with 16 bit video on my Lenovo and on my Macbook Pro I had to select 2560x1600x16 and Unscaled High Definition Video in the machine video properties to make it work full screen.

Define a custom screen for the OpenBSD VM like this, sized for my Lenovo Thinkpad:
$ VBoxManage setextradata OpenBSD CustomVideoMode1 1600x868x16

Start the VM and scp the below /etc/X11/xorg.conf file over to the VM. Modify the Depth, DefaultDepth and Modes at the bottom to suit:


Section "ServerLayout"
 Identifier     "X.org Configured"
 Screen      0  "Screen0" 0 0
 InputDevice    "Mouse0" "CorePointer"
 InputDevice    "Keyboard0" "CoreKeyboard"
EndSection

Section "Files"
 ModulePath   "/usr/X11R6/lib/modules"
 FontPath     "/usr/X11R6/lib/X11/fonts/misc/"
 FontPath     "/usr/X11R6/lib/X11/fonts/TTF/"
 FontPath     "/usr/X11R6/lib/X11/fonts/OTF"
 FontPath     "/usr/X11R6/lib/X11/fonts/Type1/"
 FontPath     "/usr/X11R6/lib/X11/fonts/100dpi/"
 FontPath     "/usr/X11R6/lib/X11/fonts/75dpi/"
EndSection

Section "Module"
 Load  "dbe"
 Load  "dri"
 Load  "extmod"
 Load  "glx"
 Load  "freetype"
EndSection

Section "InputDevice"
 Identifier  "Keyboard0"
 Driver      "kbd"
EndSection

Section "InputDevice"
 Identifier  "Mouse0"
 Driver      "mouse"
 Option     "Protocol" "wsmouse"
 Option     "Device" "/dev/wsmouse"
 Option     "ZAxisMapping" "4 5 6 7"
EndSection

Section "Monitor"
 Identifier   "Monitor0"
 HorizSync    31-80
 VertRefresh  30-100
 VendorName   "Monitor Vendor"
 ModelName    "Monitor Model"
EndSection

Section "Device"
 Identifier  "Card0"
 Driver      "vesa"
 VendorName  "InnoTek"
 BoardName   "VirtualBox Graphics Adapter"
 BusID       "PCI:0:2:0"
EndSection

Section "Screen"
 DefaultDepth  16
 Identifier "Screen0"
 Device     "Card0"
 Monitor    "Monitor0"
 SubSection "Display"
  Viewport   0 0
  Depth     16
  Modes     "1600x868"
 EndSubSection
EndSection

When you launch startx, you should get a large window and may need Right-Control F to switch to full-screen mode.

Care and Feeding of Your Puffer Fish

Once in a blue moon, to update the system I do:
$ sudo su -
# pkg_add -u

For information on installing packages and ports, read the FAQ here:
https://www.openbsd.org/faq/faq15.html

Pretty much everything is in the FAQ, so RTFF really is a good idea.

or refer to the Original Grumpy BSD Guy:
https://bsdly.blogspot.ae/2013/04/youve-installed-it-now-what-packages.html

For questions on any flavour of BSD when you did RTFF and is still stuck, go to http://daemonforums.org.

OpenBSD Foibles And Quirks (FAQ)

Sometimes things are a little weird and other times they are just annoyingly strange. 

Man will only be free, 
once the last computer has been strangled 
 with the power cord of the last router. 
-- With apologies to Didero.

--oOo-- 

Strange Command Options

There are some BSD commands that one has to reread the man pages, since they are different from Linux.
  • ifconfig
  • route
  • pkg_add packagename
  • pkg_add -u
--oOo-- 

Fast File System Softdep

It is important to edit /etc/fstab and configure soft update, otherwise an unclean power down can corrupt the disk irretrievably: https://www.openbsd.org/faq/faq14.html

The default is nosoftdep, so add softdep to each ffs line of fstab:
/dev/sd0a / ffs rw,softdep 1 1

--oOo--

System Recovery

If the system needs recovery, try Single User Mode:
At the boot prompt: Spacebar
boot> boot -s
# fsck -p
# mount -a


Now you can try to undo your last boo-boo.

--oOo--

Network Settings

/etc/hostname.em0

Restart Network:
# sh /etc/netstart

--oOo-- 

Additional Useful Programs

pkg_add xfce nano firefox mplayer links lynx gimp abiword gnumeric xournal evince

Start XFCE with:
$ startx /usr/local/bin/startxfce4


Or, you can put exec /usr/local/bin/startxfce4 in ~/.xinitrc and then just run startx

--oOo-- 

Securelevel

The securelevel is +1 by default at runtime.  This protects a bunch of crucial stuff against modification at runtime.  It may interfere with R&D work.

# sysctl kern.securelevel     
kern.securelevel=1

It can be reduced to -1 in the rc.securelevel file:
# nano /etc/rc.securelevel
add one line:
sysctl kern.securelevel=-1

Verify:
# cat /etc/rc.securelevel
sysctl kern.securelevel=-1

A reboot will make it permanent:
# reboot

La voila, now it runs with no securelevel:
# sysctl kern.securelevel                                                                  
kern.securelevel=-1

This allows file flags and a few other things to be changed.  This is also needed to turn the clock back if it is ahead.

--oOo--

Packet Filter PF

There are a few default rules which may interfere with R&D work.  They can be deleted with the pfctl -F all command.

The default rules:
# pfctl -s all
FILTER RULES:
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55

STATES:
all udp 192.168.1.14:32260 -> 5.32.10.107:123       MULTIPLE:MULTIPLE
all tcp 192.168.1.14:22 <- 192.168.1.16:49495       ESTABLISHED:ESTABLISHED
all udp 192.168.1.255:137 <- 192.168.1.16:137       NO_TRAFFIC:SINGLE
all udp 224.0.0.251:5353 <- 192.168.1.19:5353       NO_TRAFFIC:SINGLE
all udp 224.0.0.251:5353 <- 192.168.1.16:5353       NO_TRAFFIC:SINGLE

Delete all rules:
# pfctl -F all
0 tables deleted.
rules cleared
2 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset

Show no rules any more:
# pfctl -s all  
FILTER RULES:

INFO:
Status: Enabled for 0 days 00:00:44              Debug: err

State Table                          Total             Rate
  current entries                        0              
  half-open tcp                          0              

--oOo--

Multiple IP Address Aliases on a Single Device

Temporary alias with ifconfig:
# ifconfig re0 inet alias 192.168.10.199 netmask 255.255.255.0

Permanent aliases in /etc/hostname.em0:
# nano /etc/hostname.em0
dhcp
inet alias 192.168.111.101 255.255.255.0
inet alias 192.168.1.101 255.255.255.00

Restart network:
# sh /etc/netstart

# ifconfig em0   
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr b8:ae:ed:ec:0c:03
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.14 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.111.101 netmask 0xffffff00 broadcast 192.168.111.255
        inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255

--oOo--

Startx Won’t

Startx with fails with “/usr/bin/xauth: timeout in locking authority file /home/user/.Xauthority”
$ ls -l .Xauthority*
-rw------- 1 user user 55 Jul 12 22:04 .Xauthority
-rw------- 1 user user  0 Jul 12 22:36 .Xauthority-c
-rw------- 1 user user  0 Jul 12 22:36 .Xauthority-l

Those files are lock files for .Xauthority, so simply removing them resolves the issue.
$ rm -f  /home/user/.Xauthority-*

These files should have been written to /tmp, where they will be cleaned up automatically at reboot.  You can put the above command in /etc/rc.local to fix the problem.

--oOo--

SUID Removed From startx 

The setuid bit was removed from /usr/X11R6/bin/Xorg.  Therefore startx can no longer be used by non-root users.

The best way to start Xorg by non-root users now is:
# rcctl enable xenodm
# rcctl start xenodm

--oOo--

La voila!

Herman