Full Circle Magazine FR

I would like to start off this article by presenting my new server to the reader. Yes, this is it (shown above). A 2013 version (actually 2014) Nexus 7 tablet, with the Ubuntu Touch operating system. Naturally, it is no news today that mobile phone and tablet hardware is up to some creative use (light use, actually) as a server - the Raspberry Pi took care of that. A point could even be made that ARM processors are ideal for servers with light or sporadic use, since the very same power management characteristics that are so useful making the most of your mobile phone’s battery can actually be put to use, putting such a server to sleep when not processing requests, thus saving on electrical bills. What was lacking was in fact the operating system. Neither iOS nor Android can be seen as server-grade operating systems, they are just not built that way. Their paradigm is rather that of a single-user system with a graphical desktop, which is fine since most devices are used precisely for that purpose. But what about Ubuntu Touch? Since the tablet version of Ubuntu is a direct derivative of the desktop offering, there are many characteristics of the system that can be used to set up a pocket server. We will consider some of them in the following lines.

J'aimerais commencer cet article en présentant mon nouveau serveur au lecteur.

Oui, c'est lui (ci-dessus). Une version de 2013 (en fait, de 2014) de la tablette Nexus 7, dont le système d'exploitation est Ubuntu Touch. Bien entendu, aujourd'hui ce n'est plus d'actualité que les téléphones mobiles et les tablettes (je parle du matériel même) ont la capacité d'être utilisés de façon créative comme des serveurs - le Raspberry Pi a réglé cela. Et sans trop se dépenser. On pourrait même dire que les processeurs ARM sont parfaits pour des serveurs dont l'utilisation est légère ou sporadique, puisque les mêmes caractéristiques de gestion d'alimentation qui aident tellement à conserver la batterie de votre portable, peuvent être employées à bon escient, car elles mettraient un tel serveur en veille quand il ne traite pas des requêtes, économisant ainsi l'électricité et vos factures.

Ce qui manquait, c'était le système d'exploitation. On ne peut considérer ni iOS ni Android comme des systèmes d'exploitation de classe serveur, car ils n'ont pas été construit pour. Leur paradigme est plutôt celui du système à un seul utilisateur avec un bureau graphique, ce qui est très bien puisque la plupart des dispositifs sont utilisés précisément à ces fins. Mais quid d'Ubuntu Touch ? Puisque la version tablette d'Ubuntu est une dérivée directe de la version pour ordinateur de bureau, beaucoup des caractéristiques du système pourraient se prêter à la création d'un serveur de poche. Je vais en examiner quelques-unes dans les lignes qui suivent.

NOUS AVONS ROOT To operate a server, having root access to the underlying system is a must. Software needs to be installed and configured, and indeed some services need root access just to start up - mainly those using privileged TCP/IP ports in the 1-1023 range (think Web servers). We all know about the hoops iOS and Android make users run through just to gain root access. Special programs need to be installed, that basically use much the same tools a hacker would need to escalate privileges and become administrator. This is obviously a bit problematic, on two counts. In the first place, the very existence of rooting applications means that there are well-known defects in system security. So, what is to avoid other applications or malware using the very same defects for nefarious purposes? On the other hand, the user installing such a kit should always ask him- or her-self whether the person making such an app available could eventually be tempted to include a backdoor, making the entire device controllable from elsewhere without the legitimate proprietor’s knowing anything about it. Somebody who has the knowledge to root a device’s operating system will probably also have the information to set up such a trojan. In Ubuntu Touch, on the other hand, we can just fire up the terminal - and yes, there is a terminal available as standard. Much as you would on any Ubuntu computer, the default user (who goes by the login “phablet”) just needs to issue a sudo bash, and there one is with root privileges. The password is the same password or PIN code used to set up the device.

ROOT Y EST

Pour faire fonctionner un serveur, vous devez absolument avoir un accès en tant que root au système sous-jacent. Il faut pouvoir installer et configurer des logiciels et, en fait, certains services ont besoin d'un accès root ne serait-ce que pour démarrer - principalement ceux qui utilisent des ports TCP/IP privilégiés, dans la page 1-1023 (notamment des serveurs Web).

Nous savons tous que les utilisateurs d'iOS et d'Android doivent franchir un véritable parcours d'obstacles pour pouvoir accéder à root. Des programmes spécifiques doivent être installés et ceux-ci utilisent presque les mêmes outils dont un pirate aurait besoin pour augmenter ses droits et devenir administrateur. C'est bien évidemment un peu problématique, et ça, pour deux raisons. D'abord, le fait que des applications soient rootées veut dire qu'il y a des défauts bien connus dans la sécurité du système. Alors, qu'est-ce qui empêcherait d'autres applications ou des malwares d'utiliser les mêmes défauts à des fins néfastes ? En outre, l'utilisateur qui installe un tel kit devrait toujours se demander si la personne qui rend une telle appli disponible serait jamais tentée d'inclure une porte dérobée, pour pouvoir contrôler le dispositif complet à distance sans que le propriétaire légitime en sache quoi que ce soit. Un individu qui sait comment rooter le système d'exploitation d'un dispositif aura sans doute les informations nécessaires pour y mettre un tel cheval de Troie.

En revanche, dans Ubuntu Touch, il suffit de lancer le terminal - et, oui, un terminal est disponible en standard. De la même façon que sur n'importe quel ordinateur sous Ubuntu, l'utilisateur par défaut (dont le nom d'utilisateur est « phablet » doit tout simplement envoyez un sudo bash et, voilà, on a les droits d'administrateur. Le mot de passe est le même, ou le code PIN, utilisé pour configurer le dispositif.

This can be seen both as a good, and a bad feature. On one hand, there is no futzing about with software of dubious origin. On the other, any software that is well-enough thought out could eventually persuade the user to enter his password, thus gaining root access. If Ubuntu Touch were to gain a considerable market share, then such phishing attempts would unfortunately become more a probability than a mere hypothesis. THE PACKAGE MANAGER Since we have root, it should be a relatively simple affair to install our favorite software packages from the repositories, and off we go. Unfortunately, things are not quite that simple. In the first place, Ubuntu Touch has gone the Snappy way. This is a new way of distributing the actual files that a software package contains into our computer’s filesystem. In the regular versions of the *buntu distributions, the apt package system is used. In each package file (actually a .DEB extension file), many individual files are contained. On installation, each file will be written to the appropriate directory on our computer. So configuration files go into /etc, binary (program) files into /usr/bin, libraries into /usr/lib, and program data into /var. Snappy packages work in a different way: “Each snappy package is installed into its own directory. snappy packages will never overwrite files that belong to different packages or older versions of the same package. A normal snappy package can read only its own space and write to a special writable area. This is enforced via the apparmor profile for ubuntu-core apps.” Source: Ubuntu Snappy Filesystem Layout Guide https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/.

On peut le considérer une fonctionnalité qui soit à la fois bonne et mauvaise. D'un côté, on n'a pas à bricoler avec des logiciels dont l'origine est douteuse. De l'autre, n'importe quel logiciel créé avec assez d'imagination pourrait à la longue convaincre l'utilisateur de saisir son mot de passe, accédant ainsi à root. Si Ubuntu Touch gagnait pas mal de parts du marché, de telles tentatives de hameçonnage deviendrait malheureusement probables, au lieu d'être seulement hypothétiques.

LE GESTIONNAIRE DE PAQUETS

Puisque nous avons root,

Instead of using the Snappy default location for applications (which is /apps), Ubuntu Touch uses directory /custom/click. For example, the Terminal application that comes with Ubuntu Touch can be located in three versions, all in subdirectories of /custom/click/ com.ubuntu.terminal: # find / -name terminal /custom/click/com.ubuntu.terminal/0.7.121/lib/arm-linux-gnueabihf/bin/terminal /custom/click/com.ubuntu.terminal/0.7.121/lib/i386-linux-gnu/bin/terminal /custom/click/com.ubuntu.terminal/0.7.121/lib/x86_64-linux-gnu/bin/terminal Ubuntu Touch also has a different software manager. Both graphical (the “Ubuntu Store” app) and console (“pkcon”) versions are available. Unfortunately, neither of them has complete access to the vast range of software available inside the apt repositories. Even worse, some packages would seem to be available using pkcon, but cannot actually be installed in this way.

So, what can we use to install our favorite server software? The answer is naturally the very same apt-get, aptitude, etc, commands we are used to on Ubuntu Server. Now, before going any further, let us stress that this is NOT something Canonical approves of, which is quite understandable in a way since there is no guarantee that the Snappy/Click packages and apt packages will play well together going forward. So please proceed with caution - and be prepared to reinstall the system from scratch if everything should go belly-up. (I do not think anything very bad will happen, but it COULD, so…) Before proceeding, we should note that the root filesystem is mounted read-only by default on Ubuntu Touch. So the first thing we will need to do is make it remount read-write. To do so, start on the device by going to Settings > About this device > Developer Mode, and turn the Developer Mode on. Now, with the USB cable, connect the device to the computer used to install Ubuntu Touch - or any computer with the phablet-tools package installed. As root, issue the following command on the computer: # phablet-config writable-image You should eventually see the device reboot, now with the filesystem in read-write.

Inside the Terminal app on the device itself, or through a terminal from the computer (try command “adb shell” on the computer with the device connected), we can now issue a series of commands: phablet@ubuntu-phablet:~$ sudo bash [sudo] password for phablet: root@ubuntu-phablet:~# apt-get update and we should see the tablet making its connection to the Ubuntu repositories in the usual manner. MAKING USE OF AVAILABLE TECHNIQUES Once the apt system is up and running, we can start installing the software to turn our tablet into a server. Just to make things clear: we will be installing software that is meant to work in the background, with, at most, error messages on the console or in log files. There will be no graphical programs on this one, basically because most graphical software for Ubuntu is still compiled for the X server. Ubuntu Touch runs Mir, which is not compatible.

Perhaps a first step could be to install an SSH server, to enable us to SSH in from another computer. Actually, this is not necessary since the openssh-server package is already installed in Touch. However, for some reason it is not started automatically on boot. A quick fix is to edit the /etc/rc.local file and insert the appropriate command at the end of this file. It should now end like this: service ssh start exit 0 Meanwhile, the SSH service can be started manually at any time using the service command: service ssh restart When SSH-ing in from another computer, please remember the default user is “phablet”, so - assuming 192.168.0.117 is the IP address of the tablet, try: ssh phablet@192.168.0.117 Root entry through SSH and password-less access can be configured in the usual way.

Since SSH has support for file copying, the scp and rsync commands will work to transfer files to and from the tablet. SFTP will also work, enabling most desktop managers to mount the device’s filesystem over the network. A second service that may be of use is a web-server. Apache is a likely candidate: # apt-get install apache2 Once working, we could investigate options such as using Apache for webDAV. This would mean that once up, any other devices (or computers) on the same network could access files on the device, and if using webDAV-enabled software (such as Cadaver) could upload files to the device. Some calendar systems like to use webDAV to synchronize items. Windows file-sharing is easily enabled. Just install Samba, and the configuration file /etc/samba/smb.conf. Do not forget to add a samba password to user phablet! So: # apt-get install samba # vi /etc/samba/smb.conf # smbpasswd -a phablet # service smbd restart

From another computer, we can now navigate through the network and log into our device. Try connecting to address “smb://phablet@192.168.0.117” (substituting your device’s IP address). It is always nice to see a mere mobile device recognized as a full-blown server. For extra Geek points, install a git repository and use it to work collaboratively on a project with other people. Doing a commit to your phone is probably not within the bound of normal users’ experience. Finally, an easy - and elegant - way of sharing the music and/or videos from your device to the local network is using a Universal Plug-’n-Play software tool to export your media library. Unfortunately, a complete Home Theatre such as Kodi/XBMC cannot be installed, since it is much too reliant on having a graphical display available. Even standalone mode does not seem to work on Touch. However, smaller UPnP/DLNA tools such as miniupnp do work well. Installation is simply: # apt-get install sqlite minidlna

Then, edit files /etc/default/minidlna and /etc/minidlna.conf with appropriate configuration stanzas, such as: media_dir=A,/home/phablet/Music media_dir=V,/home/phablet/Videos and network_interface=wlan0 Reboot the server: # service minidlna restart If there are any problems, you may find some indications on what is happening in the log files: # tail /var/log/minidlna.log From any other computer or tablet on the same network, the tablet’s contents should now be available. For example, on VLC:

SOME FINAL WORDS Just to conclude, it may be well to consider some security aspects. Configuring a server securely is supposed to be a complex endeavour - and it actually is. The techniques shown above are in essence opening up doors to the world, such that those outside could conceivable use to get in. If you store sensitive information on the device, this could eventually be compromised. So it is perhaps best to consider using a mix of security techniques such as strong passwords and encrypted protocols (HTTPs) where available. It is also good practice not to leave less secure services such as Samba (Windows file sharing) and UPnP open on networks you do not fully control. If you do wish to use them, then perhaps it would be best to make sure these servers are not broadcasting on a public network. Some possibilities are to tie them to a particular IP address - one that the device uses on your home network, but not on others -, or simply to have these services off by default and turn them on only when required. With this in mind, there is no lack of interesting projects that can be investigated with an Ubuntu Touch device. Basically, if a Raspberry Pi can handle it, chances are the ‘phone in your pocket can also do so. In any case, it is nice to know that such possibilities are now available to make your device a little more than just a window for browsing the Internet.