How to add sudo?

[Schmill]

Can anyone give me some pointers on how to add "sudo" functionality to my xpenology running on N54L please?

 

I would like to disable the 'root' user, but no other user can use the 'su' command, hence my requirement for sudo.

 

I was trying to follow this article (http://nas.deadcode.net/2009/08/26/inst ... skstation/) but it requires that you use ipkg, which again Synology does not have.

 

How do I either install ipkg, or if there is a better way to get 'sudo' - how do I do that?

 

Many thanks

[Schmill]

Not to worry, all sorted now

[spammy]

How did you manage to solve this?

[Schmill]

I have my full set of notes elsewhere, I'll update this thread later with the content.

In summary you have to apply the correct bootstrap script to add ipkg to the server (as per wiki article http://forum.synology.com/wiki/index.ph ... stall_ipkg )

You can then use ipkg to get & install sudo.

 

More verbose instructions later - What hardware are you running on?

[Schmill]

These are my own 'HowTo' notes - so usual disclaimer "use at your own risk".

Bare in mind that these are for the N54L, and the IPKG bootstrap that you download depends on what hardware you are running on, (see the wiki link in my last post to see which one you need).

 

IPKG

Installing IPKG

The ipkg package installer is required in order to be able to install various software packages outside of Synology’s repository, in particular the sudo package, and nano if you want an alternative editor.

Full instructions, for multiple platforms, are available HERE.

Below are a condensed set of instructions, suitable for the N54L i686 platform.

The files to install the ipkg are referred to as ‘bootstraps’.

1. Login via SSH as root.

2. Change to a temporary directory (e.g. /volume1/@tmp)

3. Download the bootstrap file to the NAS using the following command:

wget http://ipkg.nslu2-linux.org/feeds/optware/syno-i686/cross/unstable/syno-i686-bootstrap_1.2-7_i686.xsh

4. Make the .xsh executable

chmod +x syno-i686-bootstrap_1.2-7_i686.xsh

5. Run the .xsh script

sh syno-i686-bootstrap_1.2-7_i686.xsh

6. After the script has finished it can be deleted

rm syno-i686-bootstrap_1.2-7_i686.xsh

7. Use vi to edit /root/.profile

vi /root/.profile

With vi still in command mode enter the following and press return:

:%s/PATH=/PATH=$PATH:/

8. Press [Esc], then enter “:wq” to write and quit the file.

9. If you received an error that /opt cannot be mounted, unmount /opt

umount –f /opt

, and delete /opt and /volume1/opt.

 

Using IPKG

• Update the list of available packages with “ipkg update”

• Upgrade any installed packages to their latest versions with “ipkg upgrade”

• Install packages with “ipkg install xxxx” where xxxx is the name of the package.

• List available packages with “ipkg list” (this can be filtered with “ipkg list | grep xxxx” where xxxx is the package you are looking for)

 

sudo

To install sudo you must first have installed IPKG.

1. As root install sudo

ipkg install sudo

2. By default, only ‘root’ has the ability to use sudo. To allow others to sudo they must be added to the /opt/etc/sudoers file. However this file cannot be edited directly and must be edited using a specific utility, visudo.

3. Running visudo will open the sudoers file.

4. Towards the bottom of the file controls who can sudo:

##
## User privilege specification
##
root ALL=(ALL) ALL

## Members of group 'administrators' can execute any command
%administrators ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

 

5. Specific users can be added using the format:

thisuser ALL=(ALL) ALL

6. Groups can be added using the format:

%thisgroup ALL=(ALL) ALL

 

One method is to add the ‘sudo’ group and allow all its members to sudo (last line of the main snippet above). However for my purposes allowing anyone of the ‘administrators’ group is suitable so I have added that in the above section.

Once you have made the above changes, (and saved the file with [Esc]:wq) be sure to use SSH to log in as a user that should now be able to use the sudo command.

If you disable root access and have not tested that this works, and then it does NOT work you will be stuffed – You have been warned!

 

Good luck

[Jman420]

I realize that 'sudo' is a more common command than the built-in 'su' command. But I'm not sure why you want 'sudo' so badly. The same functionality can be achieved with the 'su' command and disabling the 'root' user from SSH does not effect the functionality of the 'su' command. The only reason I bring this up is that the ipkg project has been abandoned for years now and nearly all of the binaries in the package feeds are out of date.

 

Do what you like, but my suggestion is to stay away from ipkg due to lack of maintenance (for instance I believe the ipkg version of bash is vulnerable to the ShellShock exploit). You are probably better off compiling your own binaries with the Synology Toolchains. Although that is a much more complex alternative to installing pre-compiled packages.

 

I DO NOT WANT TO DOWNPLAY THE RELEVANCE OF THE ABOVE POST. THESE INSTRUCTIONS ARE ENTIRELY VALID. My only point is that the binaries being installed are out dated and could potentially contain known vulnerabilities or lack functionality.

[Schmill]

How do you use su?

It is disable for all users due to permissions on busybox?

I found that applying the usual 'workaround' of changing the permissions of the busybox directory then stopped the Plex client from installing / operating correctly.

I didn't know that ipkg was discontinued though, so I'm interested to hear of alternatives. (Ipkg is what synology recommend for installing 'other' software I.e. That which isn't part of package manager)

[Jman420]

I'm fairly new to the su command myself, but I'll try to answer your questions as best as possible.

 

The permissions I applied to busybox are: chmod 4755 /bin/busybox

I can't remember if I applied this before or after I installed Plex Server (I don't have Plex Client installed since my Nas has no monitor attached), so order might be important, but it was not an issue that I ran into.

 

The su command performs a substitute user which changes the logged in user to the one specified and gives you another shell instance for that user. The default user is root, so if you just enter 'su' at a command line it assumes you want to be root. When you change the user with su you will be prompted for the password for the account you are trying to switch to. I like this because it means the user needs two passwords in order to gain root access, both a limited user's password and the root account password. There is also no file to maintain which dictates access (sudoers for sudo).

 

To make su function a bit more like sudo such as executing a single command without opening a new shell you can use the -c option. For instance 'su -c "vi /etc/passwd"' would open passwd with root privileges and return to the limited user again when the file is closed.

 

As for ipkg, if you take a look at their package feeds you will see that most of the packages were last updated in Feb 2012. I am not sure why Synology and QNAP continue to suggest using ipkg for software that isn't in their package manager. There are other more maintained forks of ipkg which (I think) could be used instead and have more up to date feeds. I believe the main fork is opkg.

 

Resources:

http://www.linfo.org/su.html

http://www.howtogeek.com/111479/htg-explains-whats-the-difference-between-sudo-su/