Create a Samba Share on Raspberry Pi Cluster

Something I want to do with my Raspberry Pi Cluster is mount a hard drive and share it like a windows share. To do this I am going to set up Samba on a Raspberry Pi.

Installing the required packages

To run samba as a service we need to install a couple packages. Running the following command will install what you need.

sudo apt-get install samba samba-common-bin

Configuring Samba

To modify samba configuration on a Raspberry Pi you can use its config file. This file is located /etc/samba/smb.conf once you have installed the appropiate packages. To set up samba to be liking I am going to modify and add a couple lines to the base settings.

The workgroup setting defines which workgroup the user you will be logging in as will need. By default the setting is WORKGROUP but this can be changed to anything required. Here im going to change the workgroup to “bunker”.

workgroup = BUNKER #customize the workgroup

To ensure that only logged in users are able to access the shares I have set the security level to “user”. This method of security validates against samba user accounts and is the most basic level.

security = user #ensure security level is user only

The default samba settings will expose the  logged in users home directory however it will not be writeable. By changing “read only” to no this will allow editing the users home directory

[homes]
read only = no  #allow writing of home dir

Setting up a share folder

To finally set up the share folder you need to add in the details of the share. Again this is modifying the samba config file as above. Below is an example share folder configuration and an explanation of some of the settings.

[BUNKER1]
comment = Bunker Node1 Share
path = /usr/local/bunker
valid users = @samba
force group = samba
create mask = 0660
directory mask = 0771
read only = no
  • [BUNKER1] is the name that windows will assign to the folder
  • comment is used in some programs to describe the share
  • path is the local path on the Raspberry Pi that the share will be exposing
  • valid users lists all valid users which can be a single user, or list of usernames. Here I have used “@samba” to allow all users of the group “samba” to access the share
  • force group will force the accessing user to read files as that group. This can be used to determine what the user can access or do.
  • create mask is used to apply a bitwise and to the generated permissions. 0660 ensures files are not accessibly by any user, this applies to create files
  • directory mask works similarly to the above but applies to created directories. Here I am setting it to 0771 to ensure all directories are executable (browsable)
  • read only sets whether you are only allowed to write/delete the files

Configuring users to access samba

Once you have set up samba with the above settings you need to add a user to be able to access samba. Since I have set my folder to require the samba group I can add it to my user by running

sudo groupadd samba
sudo usermod -aG samba chewett
sudo smbpasswd -a chewett

By default Raspbian has no samba group so it needs to be created therefore the first command creates one. The second command then adds the “samba” group to the user account “chewett”. The third command will set the samba password for the same user account. This will let the user chewett access samba.

Now we need to restart samba so that config takes effect.

sudo /etc/init.d/samba restart

Accessing Samba from windows

Now you should be able to access samba from windows by going to \\hostname\ . Here the hostname is bunker-node1 so I access it by going to \\bunker-node1

Browsing via samba to my raspberry pi host “bunker-node1”

Once I have entered the hostname and selected a folder will present a login prompt asking for a username and password. If your computer is on the same workgroup as the samba config you will just need to enter the username and password. If they are running on different work groups you will need to enter workgroup\username as the username. In this case I need to enter bunker\chewett as bunker is the workgroup and chewett is the username.

Logging into the samba share with login details bunker\chewett

Now I have access to my raspberry pi files on windows. I can expand this by adding more folders to the samba config I can mount external drives and have them accessible on the windows network.

 

 

Installing Raspbian onto a Raspberry Pi

Here I suggest some recommended steps to install Raspbian on top of their install guide.

Choosing an OS for the Raspberry Pi

One of the main ways to install a Raspberry Pi OS is to download a disk image called NOOBS. This lets you choose to easily install a number of different OS’s. If you want to try a variety of OS’s or are unsure of what you want to install I recommend this. You can follow the guide below to burn this image to a memory stick.

I decided to install Raspbian Jessie with PIXEL instead of NOOBS. This is because I wanted a fully featured Debian derivative (which is what Raspbian is) installed.

Burning the Image to a SD Card

Now we need to burn the image to the SD card, this is going to explain what you need to do if you are using windows. If you are using Linux/Mac OS I assume you know what you are doing. If you are using windows you first need to unzip the OS image so you have the the .img file available.

Once you have downloaded and unzipped the image you need to burn it, you can do this with win32 Disk Imager. Selecting the image and SD drive and pressing write will burn the OS to the SD card.

Now you can put the SD card into the Raspberry Pi and turn it on.

After Installing Raspbian

When you have installed Raspbian you will want to perform a few bits of basic maintenance.

Changing the user password

The default username for the pi is pi and the default password is raspberry . This can be used to login to your pi but it is recommended that this is changed immediately. You can change the password of the current user by entering

passwd

Changing the hostname

Since I am planning to run multiple Raspberry Pi’s I need to change the hostname. The default hostname is raspberrypi which you can use to connect to it via ssh. However to change this you can modify the /etc/hosts file on the Raspberry Pi.  You can modify this by running the following command.

sudo nano /etc/hosts

Updating the Pi

The Raspbian images are created every now and then so are not going to be fully up to date. You can update the pi by running the following two commands

sudo apt-get update
sudo apt-get upgrade

Running these commands you will update the catalogue of packages and then upgrade any of them which are outdated.

Final words

These are some basic steps to install and set up a Raspberry Pi Raspbian install. As I find more steps that I want to perform each time I install Raspbian I will update this blogpost. If you have any questions feel free to ask in the comments.

Let’s Encrypt Auto SSL on Web Host Manager CPanel Server

This blog post describes how to set up free SSL certificates on a Web Host Manager CPanel server. This requires root access to the server, if you don’t have access to this then you must ask your service provider to install it for you.

What is Let’s Encrypt?

Let’s Encrypt is in their own words “free, automated, and open Certificate Authority” providing free SSL certificates to anyone who wants to use their services. The only requirement to obtain a certificate from them is to prove you own the domain. This service is backed by some of the big web companies including Google and Facebook so has a large technical group behind it.

Many SSL certificate providers do this through a convoluted process of manually adding DNS records or replying to emails found via DNS. Instead of having to do this you confirm your ownership by the newly developed ACME protocol.

One of the ways you can verify your domain is using an ACME client such as certbot. I wont be using that today as I wanted an automatic solution that worked with the CPanel servers I manage.

Let’s Encrypt with CPanel

To automatically install SSL certificates  CPanel provide an AutoSSL facility. By default doesn’t provide Lets Encrypt SSL Certificates but they can be enabled easily enough.

If you log into your server as root you can install the Let’s Encrypt Auto SSL module by running the following command:

  1. /scripts/install_lets_encrypt_autossl_provider

Once you have run this CPanel should now let you select Let’s Encrypt as your Auto SSL provider!

The developers of CPanel are testing this and is likely to be rolled out in the future. However at the moment you need to install it manually. More information can be found in their blog post.

Stacking multiple Raspberry Pi’s

For the Raspberry Pi cluster I wanted to make sure that they are neatly stored to keep them easy to reach.

Why nicely storing them is important

Each Raspberry Pi requires a power and network cable. When using a single raspberry pi the cables are not an issue but I am planning to use five as a baseline for my cluster. These cables can quickly start to become messy and make the cluster hard to reach.

Stacking the Raspberry Pi’s

Therefore I have selected a solution that would allow me to stack the Raspberry Pi’s on top of each other.

Image taken from aliexpress where I purchased the item from

This case allows excess heat to be vented through the sides which many case designs do not account for. Since I plan to be using the Pi’s extensively they will likely be running quite hot.

I plan to stack six raspberry Pi’s on top of each other so I have purchased three of these (two stacked) products.

VCHI initialization failed Raspberry Pi Fixed

vcgencmd get_mem arm VCHI initialization failed
Example showing VCHI initialization failed error

If when running vcgencmd on a raspberry pi you get VCHI initialization failed then you need to add the video group to your user. The vcgencmd tool requires you have this group role so without it, it will give VCHI initialization failed.

To add the user group to your user you can run:

sudo usermod -aG video <username>

Where <username> is the user you want to run the vcgencmd command with. This command adds the video group to the the user you specify.

Once you have ran the command any new logins will run the command successfully. Logging out and back into the pi will let you use the command.

Why this problem occurs

This issue happens when you try and use the vcgencmd command with a user that isn’t a member of the video group. This typically happens when you create a new user for the raspberry pi and don’t give it the same groups that the pi user has.

The solution above fixes this by adding the correct video group to the created user.

Building a Raspberry Pi cluster

dsc_0525Today’s blog marks the official start of my Raspberry Pi cluster project. Here I will be documenting the process of assembling, building, and running a small cluster. This blog will include both code snippets,  hardware diagrams and the results of various projects using the cluster.

Aims of the project

The Raspberry Pi cluster will be looking into distributed computing from both a hardware and software perspective. Some of the smaller projects planned include:

  • Youtube playlist syncing and download
  • Dynamic task management and distribution
  • MD5 hash calculators
  • Realtime Reddit thread analysis

But why a Raspberry Pi when it lacks power/ram/etc

Many of the tasks I am planning for the raspberry pi can be run faster and more easily on a single computer. My (5 year old) laptop will have more RAM and processing power than the initial cluster. If I was going for pure power I would run these tasks on a GPU. However the cluster is to experiment with the process of writing and working with a distributed environment.

Part of the reason why I have chosen a raspberry pi is that it is readily available, relatively cheap, and there is a lot of  support for it to run Linux. I am planning on running Raspbian Jessie PIXEL to begin with with the possibility of switching to full on Debian or Fedora later.

First steps to a Raspberry Pi Cluster

Already I have one Raspberry Pi 1 Model B Rev 2 which I am going to start developing software for while I collect the other parts. During this time I will search around for a number of raspberry Pi’s. My preference will be for the older versions so that I may purchase more of them cheaply.

Powering them is going to be an investigative point as I dont want to power them using multiple Raspberry Pi cables as these are costly in larger numbers and will occupy lots of power sockets.

As I am expecting to buy a couple different Raspberry Pi versions I am going to look for Micro SD cards which come with adapters. This is because Raspberry Pi 1 B models take a SD card and later models take a Micro SD card.

BIGINT Overflow Error Based SQL Injection

In MySQL 5.5+ you can abuse a new feature with BIGINT values. This involves a problem called integer rollover and your ability to run arbitrary SQL.

The problem of integer rollover

Integer rollover happens when a number is too big or small and is made bigger/smaller.

In the case where the number is the highest possible stored value adding to it makes it larger and it becomes as small as it can. Similarly when the number is too small and it has something subtracted from it it becomes very large.

This is down to how the number is represented in binary where it tries to make the value bigger/smaller and it “rolls over”. This is typically undesired behavior but in many languages this happens silently. Previously this was something you checked for manually however newer languages are starting to check and raise errors for this.

How MySQL is affected by this

Now in MySQL versions 5.5 or later instead of silently wrapping around it will raise an error and fail. This is considered better than silently making your number radically different.

 

If the website displays the mysql error directly, it will report back the result of the query that caused the rollaround. If a site incorrectly does this and allows unsanitized input to be sent to the database this allows you to craft a query and view the results.

By creating a subquery for the request and guessing table names you can pull out any data in the database. Worse is that this works for the information schema so you are able to get the data you need by querying this. Having full access to the database can mean that you can then download sensitive information.

Fixing this exploit

Here the exploit is stopped by properly escaping user input which is something that many websites still forget to do. In addition since this requires viewing the data in the returned error turning off error reporting would stop this bug, but not stop the ability to insert data via a subquery. Even in the case that the error is not shown back, being able to insert data may allow privilege escalation.

The full exploit including example code is available online and includes example code and the full explanation. This is another example of why is it critically important to sanitize input from users.