Successful dist-upgrade to wheezy on a B3

Got problems with your B2 or B3? Share and get helped!
Post Reply
fredrikj
Posts: 30
Joined: 27 Jul 2011, 12:31

Successful dist-upgrade to wheezy on a B3

Post by fredrikj » 11 Jan 2015, 15:56

Hi all,

Today I performed a dist-upgrade to wheezy rev 7.8, starting from a default B3 software 2.6.0.2 installation, and it seems to have worked fine. I just wanted to share the success as there are failed wheezy dist-upgrade attempts described in other threads.

I started by reverting to a minimal debian install, as is described in the wiki. Remember to reinstall openssh-server, or else you'll have no way to access the device after purging the web interface.

http://wiki.mybubba.org/wiki/index.php? ... stallation

After that I removed the bubba-specific settings under /etc/apt, pinning in preferences, the excito sources, and added the default debian wheezy sources. Then just apt-get updated and dist-upgraded as usual.

There is a small caveat: I have yet to try to reboot the device. I'll get back to you with another report when that happens. It might take a while, I do not have the device locally.

Questions? Comments?

johannes
Posts: 1469
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Successful dist-upgrade to wheezy on a B3

Post by johannes » 12 Jan 2015, 11:12

Did you try to re-install the bubba packages afterwards, or is this impossible?
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Stryker
Posts: 55
Joined: 17 Oct 2013, 11:03

Re: Successful dist-upgrade to wheezy on a B3

Post by Stryker » 14 Jan 2015, 18:56

Since I am also desperately trying to switch my B3 to a regular Debian, that can be updated with the normal package-sources.
I also already flashed my U-Boot to support recent kernels.

Is there any way to run a recent vanilla debian that can be easily updated through the regular sources (without requiring custom patches and compiling it myself).

Is it possible to run the debian-installer from a live-USB-stick (Either the excito-rescue one or maybe the gentoo-live-USB)

MouettE
Site admin
Posts: 264
Joined: 06 Oct 2011, 19:45

Re: Successful dist-upgrade to wheezy on a B3

Post by MouettE » 14 Jan 2015, 21:52

Stryker wrote:Since I am also desperately trying to switch my B3 to a regular Debian, that can be updated with the normal package-sources.
I also already flashed my U-Boot to support recent kernels.

Is there any way to run a recent vanilla debian that can be easily updated through the regular sources (without requiring custom patches and compiling it myself).
I've made a minimal wheezy image (available here) with a associated recent kernel (available here). 99% of packages are updated through debian package source (only the kernel and button daemon to monitor the power button are specific if I remember correctly). You are only dependant on manual kernel uprades.
Stryker wrote:Is it possible to run the debian-installer from a live-USB-stick (Either the excito-rescue one or maybe the gentoo-live-USB)
I seriously thought about that a few months ago but it's not that simple because of the specific kernel you must use. I'm not a debian-installer specialist so maybe there would be way to configure it to use specific kernel package. I don't personnaly think it's worth the effort.

My minimal images were made from the excito image. I plan to create another image from scratch using only standard debian installation tools.

Stryker
Posts: 55
Joined: 17 Oct 2013, 11:03

Re: Successful dist-upgrade to wheezy on a B3

Post by Stryker » 16 Jan 2015, 15:52

MouettE wrote: I've made a minimal wheezy image (available here) with a associated recent kernel (available here). 99% of packages are updated through debian package source (only the kernel and button daemon to monitor the power button are specific if I remember correctly). You are only dependant on manual kernel uprades.
Can you explain to me, what exactly it is that prohibits you from using a vanilla kernel and forces you to custom-compile one?

I already use your wheezy-image :D

fredrikj
Posts: 30
Joined: 27 Jul 2011, 12:31

Re: Successful dist-upgrade to wheezy on a B3

Post by fredrikj » 14 Apr 2015, 02:30

johannes wrote:Did you try to re-install the bubba packages afterwards, or is this impossible?
Sorry for the late reply, Johannes. No, I didn't try to reinstall the bubba packages, the bubba-kernel is the only package I have left. I do not need or want the other stuff.

Generally, most of the bubba stuff is php-based, and I try to avoid having any php runtime on servers of mine that are exposed to the internet. That might be a bit over-the-top cautious, but that's me.

I'm confident the Excito folks were skilled programmers aware of OWASP etc, but php is one of the biggest attack vectors on the internet. And even if the php runtime could be secured, without anyone officially maintaining and providing updates for those bubba packages nowdays (AFAIK?) who can say that there isn't some new vulnerability in there?

This is BTW something I want to caution the rest of the bubba community about too. The bubba software was totally cool, and people like Johannes should have tons of cred for putting a such a neat and coherent system together. (Despite the php, perhaps ;-)). But, regardless of firewall etc, you should never run unmaintained software on any device that is exposed to the internet. You'll get owned, and that's no fun.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Successful dist-upgrade to wheezy on a B3

Post by Ubi » 14 Apr 2015, 03:13

if you run something behind a firewall its not exposed to the internet.

Gordon
Posts: 1349
Joined: 10 Aug 2011, 03:18

Re: Successful dist-upgrade to wheezy on a B3

Post by Gordon » 14 Apr 2015, 03:40

fredrikj wrote:This is BTW something I want to caution the rest of the bubba community about too. The bubba software was totally cool, and people like Johannes should have tons of cred for putting a such a neat and coherent system together. (Despite the php, perhaps ;-)). But, regardless of firewall etc, you should never run unmaintained software on any device that is exposed to the internet. You'll get owned, and that's no fun.
Have to disagree with this comment. PHP is no better or worse than any other HTML preprocessor. The problem that you are referring to is the possibility of injecting random code, which requires you to offer scripts that allow uploading such scripts, or the visitor being able to address PHP directly. The latter of which is not possible when running PHP in either FastCGI mode or as an Apache module, but only by using the CGI. And this is in fact a Debian flaw, because there is no reason to have all these instances on the same server yet this is how Debian installs PHP.

The thing here is: the admin interface on the B3 does not use the CGI and if people run stuff like Wordpress on their B3 it will use mod_php. You will therefore not break anything on the B3 by deleting the CGI and thereby removing PHP's hacker entry. And AFAIK the scripts in /admin are safe in the sense that they do not contain any random code execution option. Obviously Wordpress does, but that would not be any different if it had been written in java, or perl, or python.

And as Ubi states: if there is no door, there is no lock to pick.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Successful dist-upgrade to wheezy on a B3

Post by Ubi » 14 Apr 2015, 03:58

Of course we did have the recent PHP exploit, but this was identified and fixed within days by the community itself. And although the exploit was not the PHP or perl software of the B3, it was still part of the 'bubba OS'...

I think you should keep in mind that nearly all attacks are not very sophisticated and can be mitigated using simple means (separate vhost, .htpassword, alternative port, firewall). It is unlikely that the NSA wants data from your machine, and if they really do want it, your firewall is not going to help you. (Not the least because itll be easier for them just to get the police to confiscate the box).

Gordon
Posts: 1349
Joined: 10 Aug 2011, 03:18

Re: Successful dist-upgrade to wheezy on a B3

Post by Gordon » 14 Apr 2015, 04:44

Ubi wrote:Of course we did have the recent PHP exploit, but this was identified and fixed within days by the community itself. And although the exploit was not the PHP or perl software of the B3, it was still part of the 'bubba OS'...
Please be complete if you write stuff like that. It was not a PHP exploit, but a PHP CGI exploit. And in fact it didn't even have anything to do with Bubba OS. It was just there because it was part of the base building block of the OS and if Debian had created three separate packages for PHP the CGI would likely not have been installed and there would have been no issue.

fredrikj
Posts: 30
Joined: 27 Jul 2011, 12:31

Re: PHP security and abandonware

Post by fredrikj » 14 Apr 2015, 13:33

@Gordon: We'll have to agree to disagree about php's inherent security qualities. The internet is already flooded by debates on that topic, yet another one here wont change the facts for either side.

My main point was more about using unmaintained software. As long as there isn't anyone officially taking over maintenance of the old bubba packages and distribution, future security holes will go undetected and left open to abuse. Users should migrate to other applications or distributions that are actively maintained.

Gordon
Posts: 1349
Joined: 10 Aug 2011, 03:18

Re: Successful dist-upgrade to wheezy on a B3

Post by Gordon » 14 Apr 2015, 15:44

Oh but I'm not saying you're wrong, it's just that I'm not wrong either. The fact is that up to this moment no B2/3 was ever compromised through some exploit in the admin interface.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Successful dist-upgrade to wheezy on a B3

Post by Ubi » 15 Apr 2015, 02:28

shall we stop the discussion on inherent PHP security in this thread? If you prefer I can ask the admins to move this into a separate thread, but the current discussion is no longer anbout dist-upgrade for wheezey

amishorn
Posts: 21
Joined: 29 Feb 2012, 12:32
Location: Switzerland

Re: Successful dist-upgrade to wheezy on a B3

Post by amishorn » 29 Oct 2015, 10:16

@MouettE: First of all, thank you very much for the images and all you do that excito is more than less still alive...
I just wanna install OwnCloud on my B3 that is still running Debian 6 (squeeze). For that, however, OwnCloud isn't available anymore. So, first I need to update the B3 to wheezy at least, before I'll be able to install OwnCloud. Now, in this forum I found two common ways to update the system:
  • change the sources in /apt/sources.list from sqeeze to wheezy or...
  • download the images and install the new distro by means of the rescue key (USB stick) as mentioned here
So far so good, but here are my questions now:
  1. Which method is to favor?
  2. If the latter - has the bubba kernel package additionally to be installed afterwards (by means of dpkg) or is it already part of the image?
  3. Is the procedure safe regarding the data on the NAS or do I have to make a back-up before?
Are there any recommendations? I am really strugeling with that point, as I don't wanna loos all my data!

Regards,
amishorn

MouettE
Site admin
Posts: 264
Joined: 06 Oct 2011, 19:45

Re: Successful dist-upgrade to wheezy on a B3

Post by MouettE » 04 Dec 2015, 09:30

amishorn wrote:Which method is to favor?
The best way is to do a clean install of the system using the soon-to-be-released jessie image.
amishorn wrote:If the latter - has the bubba kernel package additionally to be installed afterwards (by means of dpkg) or is it already part of the image?
It will already be a part of the image
amishorn wrote:Is the procedure safe regarding the data on the NAS or do I have to make a back-up before?
The installer ca be configured to leave data on the other partitions of the disk. It will be fairly safe but given the youth of it I would recommend a backup just in case.
amishorn wrote:Are there any recommendations? I am really strugeling with that point, as I don't wanna loos all my data!
Backup, backup, backup it's the only safe way no matter the method you choose. In any case if you value your data that much it should already be the case.

Post Reply