[geeks] Hammer MyShare 1TB: mini review, bitching, and success story

Charles Shannon Hendrix shannon at widomaker.com
Mon Jul 2 20:22:44 CDT 2007 

I broke down and ordered a Hammer 1TB NAS.

It arrived today.


INSTALLATION:

1) unpack
2) plug in
3) boot
4) check DHCP server to see what address it got
5) http://<address>

At that point, setup is pretty easy, and most of it is intuitive.

I immediately reconfigured the drives to be RAID 1.  It took 2 hours to
sync the drives.  They averaged 40-60MB/sec during the sync.

FIRMWARE UPDATE:

Pretty simple as well, and works fine.  Unit warns you to do absolutely
nothing during the process, lest you end up with a brick.

SMB:

I set the unit up as a workgroup server.  CIFS mounts work if done
manually, but the machine doesn't respond to a SMB network query for
some reason.  

Then again, I always have a hell of a time making SMB work even with
just Windows machines.

Short answer: it works, but only manually so far.

NFS:

This works fine, with caveats:

All NFS mounts default to all_squash, which means everyone's files are
owned by nobody. No individual user security with the NFS mounts.

Also, when you enable NFS on a share, it is enabled for all users. NFS
security is per machine, not per user.

I'm OK with this for now, because for a lot of NFS mounts, I tend to be
using per machine security. However, for shares where access is given
via NFS and also CIFS, I really want user rights in both cases.

To be fair, it is a bitch to make NFS user handling work, but I still
hope they come up with something.

NFS mounts are harder than they should be, because neither the unit nor
the documentation tells you what the mount points are for NFS shares. I
made a wild guess that I could use /nfs as the root, and I was right.
You can also use /shares. /shares is where shares live, but the
unit creates links for each type of share as well.

I could not mount using TCP protocol. This part sucks. It works
perfectly using UDP, but I really hate NFS over UDP. I have sent the
company a question about this, we'll see what they say.

FTP:

Nothing much to see here.  It's a version of vsftp.

HTTP:

Evidently the unit can serve files using HTTP protocol.  No URL I tried
let me see anything however, so I don't quite know what to do.  If
anyone has ideas, let me know.

PERFORMANCE/HARDWARE:

On NFS shares across my 100baseT network I got 4-8MB per second,
depending on network load and other things. The unit is supposed to
almost double that if you have gigabit networking, but is unable to
saturate gigabit ethernet according to another guy's tests.

The unit has decent speed. The primary processor is a Marvell chip with
built-in goodies around an ARM9 CPU core.  It uses Marvell SATA and
ethernet controllers.

I did some snooping around and discovered the unit also has a serial
port, currently not accessible from the outside world.  More on how I
managed that in a bit.

This unit is certainly hackable.  It doesn't have the following of the
NSLU2 or the DNS-323 units, but they both have been on the market a lot
longer.

USB:

It can mount USB drives just fine, including ext3 filesystems.

However, I hate how it does it.

As soon as you plug a drive in, it creates CIFS, NFS, FTP, and HTTP
shares of the drive.  It also uses a name like "usb1-1share1" for the
first drive, and something similar for the second one.

I would much rather be able to create permanent mounts, preferably with
labels. The unit can probably do it, I just need to find a way to turn
auto-mounting of USB drives off. The unit doesn't use /etc/fstab at all.

SIZE:

The unit is about 10 pounds, with a metal case and its two drives. It's
quite small and quiet. The fan is initially loud on powerup, and quickly
spins down. It is probably temperature controlled, and just spins up on
boot until management takes hold.

DRIVES:

My unit came with Western Digital drives.  I would rather have gotten my
own drives, but at least I didn't get Maxtor.

Also, drive prices are falling rapidly. Probably long before this unit
craps out, I'll have replaced the drives with something bigger.

I dare Murphy's Law to kill both drives at the same time.  I dare it!

HACKING:

OK, yes, I got root on the box.  I found an exploit in the WWW
interface.

I tried inserting shell scripts in various fields (i.e. `reboot`) but
they didn't work.

Then I remembered a review of the unit where the guy said the email
alerts would let you do it. However, he had a funky proxy method, and
didn't provide the details.

Short version:

I created a file called "hack" on my desktop which had the Hammer
mounted at /nas/vault.  The file looked like this:

	#!/bin/sh

	cd /shares/vault

	cp /etc/inetd.conf .
	cp /etc/passwd .
	ps ax > ps.txt

I went to the Hammer's alerts page and entered this address into the
email address field:

	`/shares/vault/hack`@<my LAN domain>

...and it ran my file! Bad security and it needs to be fixed, but at the
same time I'm glad because it has enabled new opportunities.

Then I edited inetd.conf to enable telnet. I also looked at passwd, and
noticed it had a root account with a password set. I suppose this is a
back door for tech support? Anyway, I zeroed the password there. Then I
edited /shares/vault/hack to look like this:

	#!/bin/sh

	cd /shares/vault
	cp inetd.conf passwd /etc	

	kill -HUP <inetd process ID>

At this point I was able to telnet to the hammer as root.

Total time to crack the box: about 15 minutes, 14 minutes of which was
poking around to see what was installed on the box.

I'm currently hacking together and rsync script to have it backup my
servers to itself.

Anyway, more later as I learn more.

Overall, I'm pleased, and I think in a few months this unit is going to
have a hacker/project following much like the D-Link and Linksys NAS
units that run Linux.





















-- 
shannon           | An Irishman is never drunk as long as he can hold onto 
                  | one blade of grass and not fall off the face of the earth.

More information about the geeks mailing list