What's new

"Alternate" Entware configuration - OOPS, don't do it!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cmkelley

Very Senior Member
UPDATE: Leaving the below for posterity's sake, but don't do it. Some Entware stuff won't work with the "standard" entware setup, so far "man" and "openssh" because they appear to be hard-coded to expect different configurations (such as UID 0 being "root", which at least on my AC86U, the GUI won't allow you to do). But using Entware's busybox causes other router functionality problems (mine wouldn't connect to the internet after a reboot), so the below is pointless.

I suppose the moral of the story is, let the router do router tasks. Get fancy with something not so mission critical. Time to buy a Raspberry Pi 3 B+ ...


--------- DON'T DO THIS ---------
Digging through the Entware wiki, I found that Entware also provides an "alternate" installation script that changes the environment that Entware runs in slightly. After experimenting a bit with this, I think this is might be worth looking at for people who want to get the most out of their Entware installation. See https://github.com/Entware/Entware/wiki/Alternative-install-vs-standard for information on the differences.

The first thing I recommend you do is go into the GUI and change the ssh port from 22 to something else. The firmware will still run its own dropbear, and that's useful if you manage to lock yourself out of the Entware dropbear, which we'll install as part of this. I suggest doing this before making the changes, so that you know you can get into your router if something goes wrong. Note that Entware suggests the opposite; that is, leave the firmware dropbear on port 22 and put the Entware dropbear on another port. Your choice, but I want to just type "ssh root@router" to get to my Entware dropbear, rather than remember to add the port.

(Although I didn't try it this way, I think that if you haven't installed Entware yet, you can copy /usr/sbin/entware-setup.sh to the /jffs folder, then edit it and change the appropriate script call (in the "case $PLATFORM in" section) from generic.sh or installer.sh to alternative.sh and then run ./entware-setup.sh from there.)EDIT: Probably don't do it this way, see below.

If you have already installed Entware, then it's just a matter of changing a couple things; if you read the two installation scripts, there's actually very little difference. The first thing to do is install Entware's busybox. EDIT: Maybe don't do this! It is a more recent version than the firmware has, and is compiled with more built-in functions. The wiki (and RMerlin!) says there is a potential of interference with the router firmware, but I've not run into any yet - be prepared to revert if you run into weirdness.
Code:
opkg install busybox
Next you need to unlink the passwd, group, shells, shadow, and gshadow files from /opt/etc
Code:
cd /opt/etc  ### MAKE SURE YOU ARE IN THIS DIRECTORY!!! ###
rm passwd
rm group
rm shells
rm shadow
rm gshadow
now copy the Entware files over (hopefully you didn't delete the ".1" files ...)
Code:
cd /opt/etc  ### MAKE SURE YOU ARE IN THIS DIRECTORY!!! ###
cp passwd.1 passwd
cp group.1 group
cp shells.1 shells
Now you have separate users and groups for Entware. User 0 is "root" instead of "admin" or whatever your firmware / GUI username is. This root has the password 12345, which you will be able to change once you log into your Entware busybox. Speaking of which, you'll need to install the Entware dropbear (or, if you're feeling adventurous, openssh-server) to login to the Entware "root" user. - note that alternative.sh does not install the Entware dropbear.
Code:
opkg install dropbear
The standard installation of dropbear listens on every interface, which is not what I think we want to do, so I edited the S51dropbear script in /opt/etc/init.d. The below is only the top half of the file, I didn't change anything after the start function
Code:
#!/bin/sh

PATH=/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/usr/bin

DROPBEAR="/opt/sbin/dropbear"
HOST=$(hostname -i)
PORT=22
PIDFILE="/opt/var/run/dropbear.pid"
OPTIONS="-s -j -k"

dropbear_status ()
{
        [ -f $PIDFILE ] && [ -d /proc/`cat $PIDFILE` ]
}

start()
{
        $DROPBEAR -p $HOST:$PORT -P $PIDFILE $OPTIONS
}
Note that the -s option disables password logins, remove it if you're using a password to login to your router via ssh (I require an ssh keypair on my router). If you are using keypairs you have to copy and link a couple files;
Code:
cp -p /root/.ssh/authorized_keys /opt/etc/dropbear/  ### NOT in /opt/root/.ssh!
cp -p /etc/dropbear/* /opt/etc/dropbear/
ln -s /etc/profile /opt/root/.profile
Now you can start the Entware dropbear with
Code:
/opt/etc/init.d/S51dropbear start
And you should be able to log in to the Entware dropbear with your favorite ssh client. Once logged in, check your path to make sure /opt/bin and /opt/sbin are at the front of your path so they pick up the Entware versions instead of the firmware versions.

So, what did I get out of this? Not much, to be honest. I was able to install man-pages from Entware, which won't install with the standard setup because it expects user 0 to be called "root", which was the reason I tried this out (had I realized just how little is in the Entware man-pages package, I might not have bothered). I haven't tried openssh-server with this setup yet, but I was unable to get it to work with the standard setup. I do suspect this alternative setup will allow openssh-server to work since the Entware users are independent of the firmware users with this setup. The Entware wiki implies there may be other packages that would not work or have issues with the standard setup.

On the other hand, I haven't lost anything. Everything still works, although annoyingly the Entware busybox "top" command has to be exited with ctrl-c instead of just q. Anything that's hard-coded to go to /bin or /sbin will pick up the firmware busybox. Right now the hashed password is in passwd, which even though dropbear shouldn't be exposed to the wan, and requires a keypair to log into the router, is still technically a security risk, so I'll have to get shadow set up.

Once more, in case you don't read the comments, RMerlin advises against installing Entware's busybox, because there are custom patches to it by him, ASUS, and Broadcom. Just because I haven't had any issues doesn't mean you won't!
 
Last edited:
  • Like
Reactions: JDB
Might give this a go!

I need to start entware fresh after moving to the 86U (arch64) anyway so may as well do it properly!

Thanks for the info [emoji106]


Sent from my iPhone using Tapatalk
 
The Entware busybox is missing numerous patches from Asus/Broadcom/myself that might break some router functionalities, which is why I do not recommend using it in place of the built-in busybox.
 
The Entware busybox is missing numerous patches from Asus/Broadcom/myself that might break some router functionalities, which is why I do not recommend using it in place of the built-in busybox.
Ahhhh. I wasn't aware of that. But isn't the Entware busybox only called when you've sshed in and are at a prompt, or running a script from a prompt? The firmware doesn't spawn a shell environment (and therefore set the PATH variable) for anything because it "doesn't know" the root password, right? I would assume (perhaps wrongly) that any busybox calls the router itself makes are directly to /bin/busybox, which is still there and is still the firmware version. The Entware version goes in /opt/bin, and everything in /bin, /sbin, /usr/bin, and /usr/sbin is still symlinked to /bin/busybox. Only the replacements in /opt/bin and /opt/sbin are symlinked to /opt/bin/busybox.

So I can see that some shell scripts could break, but I'm not clear why any router functionality would, unless you mean functionality called from a shell script. I'm not trying to argue, you certainly know way more about this than I do, I'm just trying to understand what I'm missing.
 
Ahhhh. I wasn't aware of that. But isn't the Entware busybox only called when you've sshed in and are at a prompt, or running a script from a prompt? The firmware doesn't spawn a shell environment (and therefore set the PATH variable) for anything because it "doesn't know" the root password, right?

If running a command without specifying the full path ends up running the Entware version, then it can affect other scripts executed from within the firmware itself. Personally I try to use the full path when writing any script, but the firmware doesn't always use the full path, and will sometime rely on the system path.

And since almost everything runs as root, Entware can change that path.

So I can see that some shell scripts could break, but I'm not clear why any router functionality would, unless you mean functionality called from a shell script. I'm not trying to argue, you certainly know way more about this than I do, I'm just trying to understand what I'm missing.

The firmware uses various components from Busybox for its operations. The syslog server for instance comes from Busybox, and has been customized by Asus.
 
UPDATE: Yeah, don't do this. Nevermind ...
 
UPDATE: Yeah, don't do this. Nevermind ...
Just out of curiosity and since you seem to abandon this alternate Entware install, did it affect any commands you used in Diversion and amtm while you had it running?
I specify the PATH veriable to only use system binaries in both scripts and was wondering if that still worked.
 
No, it didn't affect your scripts at all. After installing the Entware busybox, everything was fine until I rebooted. I know I ran both the amtm and Diversion scripts before rebooting (which was for a separate reason). But after rebooting I didn't have internet connectivity, so I linked the firmware busybox to /opt/bin and rebooted, and it all came back up.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top