Pharos firmware 2.2.0 and Privilege Separation

Pharos firmware 2.2.0 and Privilege Separation
Pharos firmware 2.2.0 and Privilege Separation
3 weeks ago - last edited 3 weeks ago

Hello TP-Link,

 

obviously Pharos firmware 2.2.0 did introduce privilege separation for the SSH login shell. The shell does not allow to run commands which require root permissions.

 

Albeit it's a good idea to use privilege separation, there needs to be a way for authorized admins to run even privileged commands through ssh. For example, I need to be able to run the built-in radartool utility, which isn't possible anymore in Pharos v2.2.0 due to missing root permissions. But there is no way (at least I don't know of a way) to become root.

 

Why?

 

I'm aware that TP-Link preserves the right to change technical specifications and functions in order to improve product quality. But I think it's not o.k. to change firmware to remove functionality present before. This happened not only with Pharos products (i.e. removal of second Ethernet port, PoE pass-through on EU version of CPE510) , but also with Omada Controller (i.e. removing Client Isolation setting in favour of Guest Network).

 

Please consider adding a mechanism to become root in Pharos 2.2.0 again. You could either provide the su command or the sudo command to allow the admin user to become root (that's what an admin is supposed to be, isn't it?). As a last resort - and most easy to fix - you could set the SUID bit on the radartool executable and change ownership of the file to root.

 

Proof:

 

Pharos up to v2.1.13 (tested on CPE510 v1.1):

 

# radartool numdetects
Radar: detected 0 radars

 

Pharos v2.2.0 (tested on the same CPE510):

 

$ radartool numdetects
radartool: wifi0: Operation not permitted
$ su
-sh: su: not found

 

BTW: The SSH setting is being reset on firmware updates even if »Keep settings« has been selected.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#1
Options
2 Replies
Re:Pharos 2.2.0 and Privilege Separation
3 weeks ago

Your suggestion is creative. TP-Link doesn't seem to mention this change in the release note. (In the TP-Link official web, there is only V2.0.2 for Linux. I don't know where is V2.2.0 and V2.1.13)

I guess the reason that TP-Link modified this mechanism is they want to make controller use more simple. But as you wrote, for some advanced users, this change may be inconvenient for them. Hope TP-Link Staff can see this post.

0
0
#2
Options
Re: Pharos 2.2.0 and Privilege Separation
3 weeks ago - last edited 3 weeks ago

Scott.Tao wrote

Your suggestion is creative. TP-Link doesn't seem to mention this change in the release note. (In the TP-Link official web, there is only V2.0.2 for Linux. I don't know where is V2.2.0 and V2.1.13)

 

Hello Scott.Tao,

 

mis-understanding - my fault, sorry. Pharos Control is still 2.0.0-1 for Linux and 2.0.4 for Windows on the TP-Link support site in my country. If you want a newer version 2.0.4 of Pharos Control for Linux, see my port of v2.0.4 for Linux here. I just took over Java classes from the Windows version and added missing privilege separation for the controller by modifying the shell script which starts the controller. It also includes some polishing of the HTML code for the controller's web UI.

 

I clarified the title of the posting: it is about privilege separation added by TP-Link in Pharos firmware v2.2.0 (not controller!). The official version of Pharos Control still has no privilege separation.

 

You can find Pharos firmware v2.2.0 on the support site for CPE510 v3. It also installs and runs fine on almost all older Pharos devices (CPE210 v1, CPE510 v1.1 WBS210, WBS510) except CPE210 v2/v3 models, probably due to a new HW design of those two. For Pharos firmware 2.2.1 see WBS510 v2, but not yet fully tested - was just released today.

 

It's confusing, I know. But detection of model and region is done by the universal firmware on devices listed above (almost certainly contained in the ART partition of the flash memory). That's why you can install CPE510 and CPE610 firmware on other models, too.

 

FYI: Following Pharos firmware versions run fine on CPE/WBS (except on CPE210 v2/v3 and probably on CPE610):

 

drwxr-xr-x 4 pharos  staff      136 25 Dez  2018 Phaors-1.3.3-20160705
drwxr-xr-x 4 pharos  staff      136 25 Dez  2018 Pharos-2.0.0-20161117
drwxr-xr-x 4 pharos  staff      136 25 Dez  2018 Pharos-2.1.0-20170609

drwxr-xr-x 4 pharos  staff      136 25 Dez  2018 Pharos-2.1.6-20170908

drwxr-xr-x 4 pharos  staff      136 11 Mai  2018 Pharos-2.1.11-20180117
drwxr-xr-x 4 pharos  staff      136 25 Dez  2018 Pharos-2.1.12-20180202
drwxr-xr-x 5 pharos  staff      170 25 Dez  2018 Pharos-2.1.13-20180327

drwxr-xr-x 5 pharos  staff      170 28 Feb 17:01 Pharos-2.2.0-20190125

drwxr-xr-x 5 pharos  staff      170 22 Aug 04:25 Pharos-2.2.1-20190718
 

It's becoming lesser confusing if firmware filenames would be more structured as shown above. 
 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#3
Options