Root access

(Did some cleanup, still needs work.)
m (Reverted edits by 5.188.211.16 (Talk) to last revision by sixwheeledbeast)
 
(96 intermediate revisions not shown)
Line 1: Line 1:
-
OK, first, the disclaimer: '''Doing whatever is stated on this page is not endorsed by Nokia in any way.'''
+
{{danger}}
-
''Warning: There have been reports of display failures (white with dim vertical stripes) after disabling rd mode and rebooting a new 770. If you get this, there is a hardware failure in your device and you need to return it and get a replacement.''
+
Having [[:wikipedia:Superuser|root]] access is an important step for users interested in modifying things "under the covers" of their tablets; without it, you won't have the necessary permissions to make those modifications. Root access is disabled by default on new tablets. Thankfully, the steps to enable root access are simple.
-
Screenshot added: [http://www.circuitwizard.de/misc/2935.jpg Cracked screen]<nowiki>; </nowiki>[http://maemo.org/pipermail/maemo-users/2006-July/001605.html Screen bug Post].
+
== Why do I want root? ==
-
= Recommended methods =
+
Root access is ''not'' required to install additional applications through Application Manager, open X Terminal or use your tablet in day-to-day operation.
-
== easyroot ==
+
If you want to edit the underlying system configuration, install applications ''through the command line'' or other low-level tasks, you ''will'' require root access.
-
Install [http://nitapps.com/dists/chinook/user/binary-armel/easyroot_1.0-4_armel.deb easyroot] from [http://nitapps.com/ nitapps.com].
+
-
Then, from the shell, run <code>root</code>. This will give you a root shell.
+
== rootsh ==
 +
<small>''Note: As rootsh is the simplest option, and does not require a desktop computer or running additional services, it is the recommended method for gaining root access.''</small>
-
== OpenSSH ==
+
<code>rootsh</code> is available in [[Extras]], and can be installed from the Application manager if you have the Extras repository enabled. It is also available directly from [http://maemo.org/downloads/product/Maemo5/rootsh/ maemo.org].
-
# Enabled Extras (if you haven't already).
+
Then, from the [[terminal|shell]], run:
-
# Install OpenSSH (client and server).
+
sudo gainroot
-
# SSH into your tablet as root
+
(or <code>root</code> for short). This will give you a root shell.
-
## For local access, run <code>ssh root@localhost</code>
+
-
## For remote access, run <code>ssh root@''tablet's ip address''</code>
+
-
# Use "rootme" as password (this is the factory default root password).
+
-
= Securing root access =
+
== sudser ==
 +
<small>''Note: Some scripts require rootsh to run properly, so it's recommended to have both sudser and rootsh installed if you're using sudser.''</small>
-
At this point you should have gained root access to your device, and be looking at the root prompt:
+
sudser adds the user to sudoers so you can use the <code>sudo</code> command to run commands as root.
-
<nowiki>#</nowiki>
+
It is available in Extras, and can be installed from the Application manager if you have Extras enabled.
-
'''However, if your wi-fi network is not password protected, so might anyone else near you who has WiFi, SSH and a clue.'''
 
-
You still need to secure root-level access.
+
Then, from the shell, run <code>sudo ''command''</code>. This will execute <code>''command''</code> with root privileges.
-
You also still need to secure the root account ("rootme" is a terrible password, and direct root log-in access is not necessarily required).
+
<small>''Note: Adding user to the sudoers without a password isn't best for security so use at own risk.''</small>
-
== Secure future root-level access ==
+
== OpenSSH ==
-
=== Modify the gainroot script ===
+
# Enable Extras (if it is disabled)
-
(Note: easyroot already does this)
+
# Install OpenSSH (client and server)
-
 
+
#* This will prompt you to change the root password from the default, <code>rootme</code>
-
'Fix' the original /usr/sbin/gainroot script to not to check for R&amp;D mode and allow root everytime.
+
# SSH into your tablet as root
-
 
+
#* For local access, run <code>ssh root@localhost</code>
-
You can edit line
+
#* For remote access, run <code>ssh root@''tablet's ip address''</code>
-
 
+
# Use the root password entered at step (2) to log in
-
MODE=<code>/usr/sbin/chroot /mnt/initfs cal-tool --get-rd-mode</code>
+
-
 
+
-
to be
+
-
 
+
-
MODE=enabled #<code>/usr/sbin/chroot /mnt/initfs cal-tool --get-rd-mode</code>
+
-
 
+
-
You can use vi editor for this, enter
+
-
 
+
-
vi /usr/sbin/gainroot
+
-
 
+
-
position cursor at '=' character, press 'a' key, enter 'enabled #', press Esc key and save and exit with 'ZZ' command (shift + zz). The edited line may look garbled but it is OK. CTRL+L refreshes screen in vi so you can double check before saving.
+
-
 
+
-
From now you can use the intended way how to gain root on the device in R&amp;D mode without having to set it.
+
-
 
+
-
$ sudo gainroot
+
-
 
+
-
=== Set user password ===
+
-
 
+
-
Set the [http://en.wikipedia.org/wiki/Password_strength password] for 'user':
+
-
 
+
-
passwd user
+
-
 
+
-
Note: when typing a password nothing will be shown on the screen.
+
-
 
+
-
Now, for the future, unless you want to keep SSH-ing from another machine, a clever move is to add "user" to sudoers:
+
-
 
+
-
echo "user ALL = PASSWD: /bin/su" &gt;&gt; /etc/sudoers
+
-
 
+
-
this way your password will be asked in order to become root. Or
+
-
+
-
echo "user ALL = NOPASSWD: /bin/su" &gt;&gt; /etc/sudoers
+
-
 
+
-
in order to become root without having to type your password.
+
-
 
+
-
Please keep in mind that password will be cached, so you won't have to type it ''every'' time you need to sudo.
+
-
 
+
-
Note that if you require a password to become sudo, some built-in apps (notably Application Manager) will appear to not load while they wait silently in the background for the password to be entered. The can be avoided by running a command in the xterm with sudo prior to lauching the app, so as to appease sudo when the OS calls it.
+
-
 
+
-
Ok, from now on all you have to do, in your Xterm session, to get root is to write:
+
-
 
+
-
sudo su -
+
-
 
+
-
=== Secure the root account ===
+
-
 
+
-
'''You ''MUST'' change (or disable) your root password before continuing!'''
+
-
 
+
-
Else you will be walking around with a device that can be accessed using a TRIVIAL and well known password.
+
-
 
+
-
==== Change root password ====
+
-
 
+
-
To change root password (as root user):
+
-
 
+
-
passwd
+
-
 
+
-
...when asked, input (twice) your [http://en.wikipedia.org/wiki/Password_strength new password].
+
-
 
+
-
'''It is still recommended to limit root logins to local console only in most cases.'''
+
-
 
+
-
==== Disable root login ('''highly suggested''') ====
+
-
 
+
-
'''NOTE:''' Do not perform this step without having completed Step [[Root access#Modify the gainroot script|Modify the gainroot script]] or [[Root access#Set user password|Set user password]]
+
-
 
+
-
After you gained access as root user:
+
-
 
+
-
passwd -l root
+
-
 
+
-
In this case, from now on you won't be able to login directly as root user -- not from ssh and not from the local console.
+
-
 
+
-
To get a root prompt:
+
-
 
+
-
sudo su -
+
-
 
+
-
=== Disabling root login when using OpenSSH ===
+
-
 
+
-
This step is semi optional. Definitely recommended for most installations, though.
+
-
 
+
-
When using dropbear as ssh server, you can disable root logins via ssh: just add the option "-w" to DROPBEAR_EXTRA_ARGS in /etc/default/dropbear:
+
-
 
+
-
DROPBEAR_EXTRA_ARGS="-w"
+
-
After that, restart dropbear:
+
To debug issues with SSH connections, use the SSH '-v' option.
-
/etc/init.d/dropbear restart
+
(To get SSH X forwarding ('-X' option) to work, you need to install ''xauth'' (or ''xbase-clients'') package and enable X forwarding in the SSH server configuration file on the machine where you're connecting to.)
-
A remote root login via ssh is then no longer possible. So you have to use the "user" account (you should give the user a password beforehand).
+
== Research &amp; Development Mode (R&amp;D or RD Mode) ==
-
=== For Windows Users Only ===
+
{{ambox|text=As R&D mode has other side effects beyond simply enabling root access (including several that may negatively impact battery life), it is ''not'' the recommended method for gaining root access. Use [[#rootsh|rootsh]] instead.}}
-
Obviously the same trick works also in Windows, but you have to use a (free or commercial) SSH enabled client:
+
{{main|R&D mode}}
-
*[http://www.celestialsoftware.net/telnet/ Absolute Telnet]
+
-
*[http://www.vandyke.com/download/securecrt/index.html SecureCRT]
+
-
*[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY], etc...
+
-
= The R&amp;S way (Nokia 770 only) (Linux or Mac OS X needed) =
+
You can enable the R&D mode which enables you to execute <code>sudo gainroot</code> to get a root shell, simply follow the setup steps for flashing covered in [[Updating the firmware|updating the tablet firmware]], then execute
-
You can enable the Research &amp; Development mode (R&amp;D or RD mode) on the 770, which enables you to execute <code>sudo gainroot</code> to get a root shell.
+
sudo ./flasher-3.5 --enable-rd-mode -R
-
NOTE: The currently availiable Nokia flasher version (as of 30 March 2006) assumes that usbfs is mounted on /proc/bus/usb, but usbfs is deprecated and has been dropped on most newer Linuxes. If you find that flasher doesn't recognise that the device is connected and you have a kernel version &gt;= 2.6.15, this is probably the issue.
+
You are now in R&D mode, and the sudo gainroot script's check will be satisfied.
-
* Download the Linux or Mac OS X flasher from
+
== On-Device Sudoers Edit (No External Dependencies) ==
-
* Ensure it's executable: <code>chmod a+x &amp;quot;flasher...&amp;quot;</code>
+
This covers how to get root access on-device. without any external downloads/dependencies, as well as advocates a more desktop-like approach to setting up your sudoers file.
-
* Switch off the Nokia 770
+
http://talk.maemo.org/showthread.php?t=94494
-
* Unplug it from a charger
+
-
* Connect it to your computer via USB directly (hubs can prevent the flasher from detecting the device)
+
-
* From your computer: As root, or using <code>sudo</code>, execute <code>./flasher &amp;lt;del&amp;gt;enable-rd-mode &amp;lt;/del&amp;gt;reboot</code>
+
-
* "Suitable USB device not found, waiting" is displayed on the console
+
-
* Switch on the 770 using the power button while holding down the home button ''I did not touch the home button and proceeded successfully -- 2005-12-27'' --RickHull It worked for me after disabling the device lock -- 05/04/06 Florian I did it without the home button as well and it worked OK for me too. -- 3/26/06 -- Bill B. Well, I just did it for the first time with my one-day-old tablet, and I did have to press the home button. Otherwise, the device booted normally, and no messages came from the flasher utility (from Mac OS X). When pressing home, you get the icon for the "system settings" (a wrench over a tablet) right under the big blue NOKIA logo at boot up. The USB logo appeared in the top-right corner of the screen on both boot-ups, the normal one and the one with the home button. -- [AlbertoGonzalezPalomo]
+
-
* Whilst it powers on you'll see additional debug information.
+
-
* The flasher program will now tell you something like: USB device found at bus 001, device address 004 Found board Nokia 770 (F5) NOLO version 0.9.0 The device is now in R&amp;D mode ''I had to pull the USB cable at this point before the unit rebooted. -- 2006-03-29 -- [NealMcBurnett''] ''Me too -- 2006-04-01 -- N7DR''
+
-
* If not already done install an [http://770.fs-security.com/xterm/ xterm] on the 770
+
-
* Open the xterm and execute <code>sudo gainroot</code> ''You will probably get a scary message pointing you the possibility of breaking your device doing so. Ignore it ¿?''
+
-
* Try this if it doesn't work: <code>sudo /usr/sbin/gainroot</code>
+
-
That's it. If you get the error, "Error claiming USB interface: Operation not permitted", it means you've forgotten to run the flasher as root. It is possible to encounter other errors (even if invoked as root) that may be caused by timing issues. For more information and a possible solution, go to the following maemo-developers [http://www.gossamer-threads.com/lists/maemo/developers/3140 thread].
+
== A note on sudo ==
 +
This information is aimed at people who come to maemo from other linux distributions (Debian for example) that may have used sudo in a different way.
-
Once becoming root, in order to easily become root without needing to be in R&amp;D mode, modify the gainroot script (located in /usr/sbin/gainroot) to only invoke the shell (i.e. /bin/sh) or modify /etc/sudoers to make something like su sudo-capable. (IT'D BE NICE IF someone uploaded samples of the original and the modified file to the wiki at this point) Modifying gainroot is likely an easier option for novice users and should be accomplished by commenting out (i.e. prepending lines with a #) the check if R&amp;D mode is enabled. More specifically, after the "PATH=..." line, comment out the following lines ''except'' for the /bin/sh line.
+
In fremantle (Maemo 5) sudo is a key part of the system. It is used by system processes that are started as the user to provide access (as root) when needed.
-
<del>BEFORE</del>
+
Examples of this are:
 +
Media Tracker.
 +
The firmware version on the 'Settings' > 'About Product' page.
-
+
Both of these will malfunction if there are problems with sudo.
-
= <nowiki>!/bin/sh -e</nowiki> =
+
Sudo relies on <code>/etc/sudoers</code>, a configuration file that details who can run what commands. <code>/etc/sudoers</code> is traditionally modified by using the 'visudo' command. DO NOT DO THIS ON MAEMO. In maemo sudoers is regenerated periodically from config snippets in <code>/etc/sudoers.d/</code>, using <code>visudo</code> can cause the slow death of your system as your edit gets pushed further down /etc/sudoers.
-
trap exit SIGHUP SIGINT SIGTERM PATH=/bin:/user/bin:/sbin:/usr/sbin MODE='/usr/sbin/chroot /mnt/initfs cal-tool --get-rd-mode if [ x<span class="math">''MODE''<nowiki>=</nowiki>''xenabled'']''then''''echo''&amp;''quot''<nowiki>;</nowiki>''Root''''shell''''enabled''&amp;''quot''<nowiki>;/</nowiki>''bin''/''sh''''else''''echo''&amp;''quot''<nowiki>;</nowiki>''Enable''''RD''''mode''''if''''you''''want''''to''''break''''your''''device''&amp;''quot''<nowiki>;</nowiki>''fi''&lt;/''pre''&gt;&lt;''del''&gt;''AFTER''&lt;/''del''&gt;&lt;''pre''&gt;#!/''bin''/''sh''-''e''''trap''''exit''''SIGHUP''''SIGINT''''SIGTERM''''PATH''<nowiki>=/</nowiki>''bin''<nowiki>:/</nowiki>''user''/''bin''<nowiki>:/</nowiki>''sbin''<nowiki>:/</nowiki>''usr''/''sbin''<nowiki>#</nowiki>''MODE''<nowiki>='/</nowiki>''usr''/''sbin''/''chroot''/''mnt''/''initfs''''cal''-''tool''--''get''-''rd''-''mode''<nowiki>#</nowiki>''if''[''x''</span>MODE = xenabled] #then # echo "Root shell enabled" /bin/sh #else # echo "Enable RD mode if you want to break your device" #fi
+
For those who don't know, <code>/etc/sudoers</code> works on a last match principle, so if your edit conflicts with entries above it, it will break those entries.
-
There are a couple of possibilities for modifying gainroot or /etc/sudoers, both of which require [http://770.fs-security.com/xterm/ xterm]<nowiki>: * The file can be copied to another system (via USB or </nowiki>[http://maemo.org/maemowiki/InstallSsh scp] as examples), modified on the system, and copied back. In order to use USB, it will first be necessary to copy the appropriate file to the memory card using something like: <code>cp /usr/sbin/gainroot /media/mmc1</code> . A similar cp command (<code>cp /media/mmc1/gainroot /usr/sbin</code>) would be used to copy a modified gainroot file back. MMC is disabled while USB cable is connected. I had to power down, disconnect, reboot and become root again to copy the file to the MMC. -- 3/26/06 -- Bill B. ''I just had to unplug the USB cable when using the MMC locally, and plug it back in to access it from my PC -- [NealMcBurnett''] * An editor can be used on the 770 itself to modify the file, such as [http://maemo.org/maemowiki/ApplicationCatalog#head-5a2314e34a0e247ce137af6a95b37ae8e7a74b83 vim] or [http://maemo.org/maemowiki/ApplicationCatalog#head-0d0749a7fc2a3aacd09cb5465171aeb0d0dd0e38 joe]. Novice users may find joe to be easier to use than vim. I couldn't get VIM or Joe to run -- they installed, but I could not find them. Maybe a newby thing? You can always email the gainroot file to yourself on another PC, edit it, and email it back. -- 3/26/06 -- Bill B. (_as with most user-installable utilities, make sure /var/lib/install/usr/bin is in your <span class="math">''PATH''-''hczim''_)*''How''''Do''''I''''Become''''Root''-''without''''using''''a''''text''''editor''(''backing''''up''''gainroot''''before''''modification''):&lt;''br''/&gt;`''cp''-''p''/''usr''/''sbin''/''gainroot''/''usr''/''sbin''/''gainroot''~&amp;''amp''<nowiki>;&amp;</nowiki>''amp''<nowiki>;</nowiki>''sed''-''i'''1,/''PATH''<nowiki>=/!</nowiki>''s''/^/#/;/''sh''</span>/s/#//' /usr/sbin/gainroot<code><nowiki>* How Do I Become Root - without using a text editor (by enabling sudo for all user commands):&lt;br /&gt;</nowiki></code>cp -p /etc/sudoers /etc/sudoers~ &amp;&amp; echo user ALL = NOPASSWD: ALL &gt;&gt; /etc/sudoers<code>Once root access has been granted, it is recommended to disable R&amp;amp;D mode. This can be accomplished by following the same instructions as for enabling R&amp;amp;D mode but using</code>./flasher &lt;del&gt;disable-rd-mode &lt;/del&gt;reboot<code>instead. - --- Spanish translation / Traducción al castellano (Skip for the rest of the english text, including &amp;quot;The hard way of gaining root&amp;quot;)
+
The 'correct' way to do this would be to put your entry in a file in <code>/etc/sudoers.d/</code>. I leave the detail of this up the experience of the end-user. Just be advised that using <code>visudo</code> runs the risk of subtly breaking your system.
-
[[Category:HowTos]]
+
[[Category:Wiki page of the day]]
-
[[Category:Midgard wiki]]
+
[[Category:Power users]]

Latest revision as of 08:50, 11 April 2019

Image:Ambox_notice.png
 Some instructions here may cause serious problems. When unsure, see General precautions
Backing up your data is recommended. In case of trouble you might need to re-flash your device.


Having root access is an important step for users interested in modifying things "under the covers" of their tablets; without it, you won't have the necessary permissions to make those modifications. Root access is disabled by default on new tablets. Thankfully, the steps to enable root access are simple.

Contents

[edit] Why do I want root?

Root access is not required to install additional applications through Application Manager, open X Terminal or use your tablet in day-to-day operation.

If you want to edit the underlying system configuration, install applications through the command line or other low-level tasks, you will require root access.

[edit] rootsh

Note: As rootsh is the simplest option, and does not require a desktop computer or running additional services, it is the recommended method for gaining root access.

rootsh is available in Extras, and can be installed from the Application manager if you have the Extras repository enabled. It is also available directly from maemo.org.

Then, from the shell, run: 

sudo gainroot

(or root for short). This will give you a root shell.

[edit] sudser

Note: Some scripts require rootsh to run properly, so it's recommended to have both sudser and rootsh installed if you're using sudser.

sudser adds the user to sudoers so you can use the sudo command to run commands as root.

It is available in Extras, and can be installed from the Application manager if you have Extras enabled.


Then, from the shell, run sudo command. This will execute command with root privileges.

Note: Adding user to the sudoers without a password isn't best for security so use at own risk.

[edit] OpenSSH

  1. Enable Extras (if it is disabled)
  2. Install OpenSSH (client and server)
    • This will prompt you to change the root password from the default, rootme
  3. SSH into your tablet as root
    • For local access, run ssh root@localhost
    • For remote access, run ssh root@tablet's ip address
  4. Use the root password entered at step (2) to log in

To debug issues with SSH connections, use the SSH '-v' option.

(To get SSH X forwarding ('-X' option) to work, you need to install xauth (or xbase-clients) package and enable X forwarding in the SSH server configuration file on the machine where you're connecting to.)

[edit] Research & Development Mode (R&D or RD Mode)

Image:Ambox_notice.png
 As R&D mode has other side effects beyond simply enabling root access (including several that may negatively impact battery life), it is not the recommended method for gaining root access. Use rootsh instead.

Main article: R&D mode


You can enable the R&D mode which enables you to execute sudo gainroot to get a root shell, simply follow the setup steps for flashing covered in updating the tablet firmware, then execute 

sudo ./flasher-3.5 --enable-rd-mode -R

You are now in R&D mode, and the sudo gainroot script's check will be satisfied.

[edit] On-Device Sudoers Edit (No External Dependencies)

This covers how to get root access on-device. without any external downloads/dependencies, as well as advocates a more desktop-like approach to setting up your sudoers file. http://talk.maemo.org/showthread.php?t=94494

[edit] A note on sudo

This information is aimed at people who come to maemo from other linux distributions (Debian for example) that may have used sudo in a different way.

In fremantle (Maemo 5) sudo is a key part of the system. It is used by system processes that are started as the user to provide access (as root) when needed.

Examples of this are: Media Tracker. The firmware version on the 'Settings' > 'About Product' page.

Both of these will malfunction if there are problems with sudo.

Sudo relies on /etc/sudoers, a configuration file that details who can run what commands. /etc/sudoers is traditionally modified by using the 'visudo' command. DO NOT DO THIS ON MAEMO. In maemo sudoers is regenerated periodically from config snippets in /etc/sudoers.d/, using visudo can cause the slow death of your system as your edit gets pushed further down /etc/sudoers.

For those who don't know, /etc/sudoers works on a last match principle, so if your edit conflicts with entries above it, it will break those entries.

The 'correct' way to do this would be to put your entry in a file in /etc/sudoers.d/. I leave the detail of this up the experience of the end-user. Just be advised that using visudo runs the risk of subtly breaking your system.

Retrieved from "https://wiki.maemo.org/Root_access"