Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Make your macOS/Linux/BSD/illumos/HaikuOS machine visible in Network view of Windows Explorer

License

NotificationsYou must be signed in to change notification settings

gershnik/wsdd-native

Repository files navigation

VersionLicenseLanguage

A Unix daemon that makes your macOS/Linux/BSD/illumos/HaikuOS machine visible in Network view of Windows Explorer on newer versions of Windows.

It implements WS-Discovery protocol that Windows now uses to discover machines on local network. It is a native daemon, written in C++.

Features

  • Fully supports macOS, Linux, FreeBSD, OpenBSD, NetBSD and illumos. Partial support for Haiku OS
  • Can be configured via a configuration file, not just command line.
  • Discovers Samba/macOS SMB configuration on its own. (This can be overridden, if desired)
  • Can present the Unix host as something other than "Computer" in Windows Explorer.
  • Integrates well withsystemd andlaunchd. Of course, it can also run as a classical Unix daemon for other init systems.
  • Friendly to various log rotation methods likenewsyslogd andlogrotate. Supports standard reload semantics via SIGHUP.
  • Written with security in mind first and foremost.
  • Will never run any network code as root. Designated user account to run under is created automatically, if needed.

There are a couple of similar projects available:wsdd written in Python andwsdd2 written in C. Neither of them, however, fully provides the features above.

Binary packages

macOS

On macOS there are 3 ways to installwsddn: via a standalone installer package,Homebrew orMacports.Using a standalone installer is simpler but you will have to manually install any future updates as well.Homebrew/Macports are a bit more complicated to set up but it provides updatability similar to Linux/BSD package managers.

For all 3 methods the supported platforms are:

  • macOS Catalina (10.15) and above
  • Both Intel and Apple Silicon

Standalone installer

Setup and usage (click to expand)

To install via standalone.pkg installer:

If you prefer command line, you can also install via:

sudo installer -pkg /path/to/wsddn-macos-1.22.pkg -target /

To fully uninstallwsddn run/usr/local/bin/wsddn-uninstall

Daemon will start automatically on install.

To start/stop/reload the daemon use:

sudo launchctl kickstart system/io.github.gershnik.wsddnsudo launchctlkill TERM system/io.github.gershnik.wsddnsudo launchctlkill HUP system/io.github.gershnik.wsddn

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon and related logs can be viewed in system log by searching for subsystem orprocess names containing stringwsddn. For example:

log show --last 15m --debug --info \  --predicate'subsystem CONTAINS "wsddn" OR process CONTAINS "wsddn"'

Homebrew

Setup and usage (click to expand)

Homebrew package ('cask') can be installed via a custom tap.

To set it up

brew tap gershnik/repo

Then

brew install wsddn

This installs exactly the same thing as standalone installer would so all the usage instructions underStandalone installer apply as well.

Macports

Setup and usage (click to expand)

Macports package can be installed via a custom repository.

To set the repo up:

sudo bash<<'___'set -epemurl=https://gershnik.com/macports-repo/macports.pemporturl=https://www.gershnik.com/macports-repo/ports.tar.bz2prefix=$(dirname $(dirname $(which port)))pemfile="$prefix/share/macports/gershnik.pem"pubkeysfile="$prefix/etc/macports/pubkeys.conf"sourcesfile="$prefix/etc/macports/sources.conf"curl -s $pemurl > "$pemfile"grep -qxF "$pemfile" "$pubkeysfile" || echo $pemfile >> "$pubkeysfile"grep -qxF "$porturl" "$sourcesfile" || echo $porturl >> "$sourcesfile"sudo port sync___

Then you can installwsddn as usual via

sudo port install wsddn

Daemon will start automatically on install.

To start/stop/reload the daemon use:

sudo launchctl kickstart system/org.macports.wsddnsudo launchctlkill TERM system/org.macports.wsddnsudo launchctlkill HUP system/org.macports.wsddn

Configuration file will be at/opt/local/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon and related logs can be viewed in system log by searching for subsystem orprocess names containing stringwsddn. For example:

log show --last 15m --debug --info \  --predicate'subsystem CONTAINS "wsddn" OR process CONTAINS "wsddn"'

Ubuntu/Debian/Mint/Raspberry Pi

Pre-built packages are available in a custom apt repository for systems newer than Ubuntu 20.04 (focal) orDebian 11 (bullseye). Any Debian system based upon those or newer should work.

Architectures supported:amd64 (akax86_64),arm64 (akaaarch64) andarmhf

Setup and usage (click to expand)

To set up the apt repository:

  • Import the repository public key

    wget -qO- https://www.gershnik.com/apt-repo/conf/pgp-key.public \| gpg --dearmor \| sudo tee /usr/share/keyrings/gershnik.gpg>/dev/null

  • Add new repo

    echo"deb" \"[arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gershnik.gpg]" \"https://www.gershnik.com/apt-repo/" \"base" \"main" \| sudo tee /etc/apt/sources.list.d/wsddn.list>/dev/null

Once the repository is set up you can installwsddn as usual via:

sudo apt updatesudo apt install wsddn

If you have UFW firewall running, do

sudo ufw allow wsddn

Daemon will be enabled and started automatically on first install but keep its existing state on updates.

Onsystemd based distributions to start/stop/reload it use

sudo systemctl start wsddnsudo systemctl stop wsddnsudo systemctl reload wsddn

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon log can be viewed viajournalctl as usual

journalctl -u wsddn

On non-systemd based distributions (and Docker) you can use:

sudo /etc/init.d/wsddn startsudo /etc/init.d/wsddn stopsudo /etc/init.d/wsddn reload

and the log is available at/var/log/wsddn.log

RedHat/CentOS/Fedora

Pre-built packages are available onFedora Copr repository.Visit that link to see currently supported distributions and architectures.

Setup and usage (click to expand)

To set the repo up you need to installcopr plugin if you haven't already done so:

sudo dnf install dnf-plugins-core#or with yum#sudo yum install yum-plugin-copr

Then

sudo dnf coprenable gershnik/wsddn#or with yum#sudo yum copr enable gershnik/wsddn

Once the repository is set up you can installwsddn as usual via

sudo dnf install wsddn#or with yum#sudo yum install wsddn

On first install firewall will be configured to openwsddn service.

Enable and start the daemon:

sudo systemctlenable wsddnsudo systemctl start wsddn

To start/stop/reload it use

sudo systemctl start wsddnsudo systemctl stop wsddnsudo systemctl reload wsddn

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon log can be viewed viajournalctl as usual

journalctl -u wsddn

OpenSUSE

Pre-built OpenSUSE packages for Tumbleweed are available viaFedora Copr.

Architectures supported:x86_64 andaarch64

Setup and usage (click to expand)

To set up the repository:

  1. Import the repository PGP key
wget -qO wsddn.gpg  https://download.copr.fedorainfracloud.org/results/gershnik/wsddn/pubkey.gpg \&& sudo rpm --import wsddn.gpg \&& rm wsddn.gpg
  1. Add the repository configuration tozypper
sudo zypper addrepo -f https://download.copr.fedorainfracloud.org/results/gershnik/wsddn/opensuse-tumbleweed-$(arch) wsddn
  1. Refreshzypper
sudo zypper refresh

You will receive a warning saying something likeWarning: File 'repomd.xml' from repository 'wsddn' is unsigned .... This is expected as Fedora Copr doesn't sign the repository itself, only actual RPMs.Answery to allow.

Once the repository is set up you can installwsddn as usual via:

sudo zypperin wsddn

On first install firewall ports5357/tcp and3702/udp will be opened.

Enable and start the daemon:

sudo systemctlenable wsddnsudo systemctl start wsddn

To start/stop/reload it use

sudo systemctl start wsddnsudo systemctl stop wsddnsudo systemctl reload wsddn

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon log can be viewed viajournalctl as usual

journalctl -u wsddn

Arch Linux

Source package is available onAUR athttps://aur.archlinux.org/packages/wsdd-native

Pre-built packages are available in a custompacman repository.

Architectures supported:x86_64 andaarch64

Setup and usage (click to expand)

To set up the repository:

  1. Import the repository PGP key
sudo pacman-key --recv-keys'CF567A58C5DB9C6908C6E87E6EBB54370005A361' \&& sudo pacman-key --lsign-key'CF567A58C5DB9C6908C6E87E6EBB54370005A361'
  1. Add the repository configuration to/etc/pacman.conf
[gershnik]Server = https://www.gershnik.com/arch-repo/$arch
  1. Refresh the package databases
sudo pacman -Sy

Once the repository is set up you can installwsdd-native as usual via:

sudo pacman -S wsdd-native

If you have UFW firewall running, do

sudo ufw allow wsddn

As per Arch Linux convention the installation does not automatically enable or start services.

Enable and start the daemon:

sudo systemctlenable wsddnsudo systemctl start wsddn

To start/stop/reload it use

sudo systemctl start wsddnsudo systemctl stop wsddnsudo systemctl reload wsddn

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Daemon log can be viewed viajournalctl as usual

journalctl -u wsddn

Alpine

Pre-built packages are available in a customapk repository for Alpine 3.18 or above.

Architectures supported:x86_64 andaarch64

Setup and usage (click to expand)

To set up the repository:

  1. Import the repository key
wget -qO-  https://www.gershnik.com/alpine-repo/gershnik@hotmail.com-6643812b.rsa.pub \| sudo tee /etc/apk/keys/gershnik@hotmail.com-6643812b.rsa.pub>/dev/null
  1. Add new repo
sudo mkdir -p /etc/apk/repositories.d&& \echo"https://www.gershnik.com/alpine-repo/main" \| sudo tee /etc/apk/repositories.d/www.gershnik.com.list>/dev/null
  1. Updateapk
sudo apk update
  1. Install the package.
sudo apk add wsdd-native

If your Alpine system has OpenRC running (e.g. not a Docker container), OpenRC configuration will be automatically installed too.Otherwise, if desired, you can manually add it viasudo apk add wsdd-native-openrc. Similarly documentation is available viasudo apk add wsdd-native-doc.

Under OpenRC:

Enable and start the service:

sudo rc-update add wsddnsudo rc-service wsddn start

To start/stop/reload it use

sudo rc-service wsddn startsudo rc-service wsddn stopsudo rc-service wsddn reload

Configuration file will be at/etc/wsddn.conf. Comments inside indicate available options and their meaning.If you installed documentation you can also useman wsddn to learn about configuration or see online versionhere

Log file is located at/var/log/wsddn.log. Log file rotation is configured vialogrotate. To modify rotation settings edit/etc/logrotate.d/wsddn

FreeBSD

Pre-built packages are available for FreeBSD 13 and 14 in a custom binary package repository.Bothamd64 (akax86_64) andarm64 (akaaarch64) architectures are supported.

Setup and usage (click to expand)

To set the repo up:

  • Create the custom repo config folder if it does not already exist
    sudo mkdir -p /usr/local/etc/pkg/repos
  • Download the repository public key
    wget -qO- https://www.gershnik.com/bsd-repo/rsa-key.pub \| sudo tee /usr/local/etc/pkg/repos/www_gershnik_com.pub> /dev/null
  • Create a file named/usr/local/etc/pkg/repos/www_gershnik_com.conf
  • Put the following content in it:
    www_gershnik_com: {    url: "https://www.gershnik.com/bsd-repo/${ABI}",    signature_type: "pubkey",    pubkey: "/usr/local/etc/pkg/repos/www_gershnik_com.pub",    enabled: yes}

Once the repository is set up you can installwsddn as usual via

sudo pkg updatesudo pkg install wsddn

As is standard on FreeBSD daemon will not be enabled or started after installation. To enable it, edit/etc/rc.conf and addthe following line there:

wsddn_enable="YES"

To start/stop/reload the daemon use:

sudo service wsddn startsudo service wsddn stopsudo service wsddn reload

Configuration file will be at/usr/local/etc/wsddn.conf. Comments inside indicate available options and their meaning.You can also useman wsddn to learn about configuration or see online versionhere

Log file is located at/var/log/wsddn.log. Log file rotation is configured vianewsylogd. To modify rotation settings edit/usr/local/etc/newsyslog.conf.d/wsddn.conf

OpenBSD

A standalone binary package is available for OpenBSD 7.5 and higher. Onlyamd64 (akax86_64)architecture is currently supported. The package is available fromReleases.

Setup and usage (click to expand)

To install:

mv wsddn-1.22-OpenBSD-amd64.tgz wsddn-1.22.tgz
  • Run
#pkg_add -D unsigned wsddn-x.y.tgz

To uninstall:

#pkg_delete [-c] wsddn

Use the-c flag to also remove_wsddn daemon user and group.

As is standard on OpenBSD daemon will not be enabled or started after installation.To enable it call

#rcctlenable wsddn

To start/stop/reload the daemon use:

#rcctl start wsddn#rcctl stop wsddn#rcctl reload wsddn

Configuration file will be at/etc/wsddn/wsddn.conf. Comments inside indicate available options and their meaning. You can also consult/etc/wsddn/wsddn.conf.sample you can consult, that preserves the original configuration.You can also useman wsddn to learn about configuration or see online versionhere

Log file is located at/var/log/wsddn.log. Log file rotation is configured vianewsylogd. To modify rotation settings edit/etc/newsyslog.conf.

Docker

On Linux, if you are loath to install or build anything you also have an option to runwsdd-native in a Docker container.

Warning

Docker container willnot work on macOS.

Setup and usage (click to expand)

To run the container do

docker run --net=host -e WSDDN_HOSTNAME=$(hostname) gershnik/wsddn

Note that--net=host is required. Without itwsdd-native cannot send and receivenecessary WS-Discovery traffic from your host.

You can also pass-e WSDDN_WORKGROUP=name to change workgroup name or-e WSDDN_DOMAIN=name to indicate domain membership. There are no otherconfigurable settings.

Building from sources

Prerequisites

  • Git
  • C++20 capable compiler. Minimal compilers known to work are GCC 10.2, Clang 13 and Xcode 13.
  • CMake 3.25 or greater. If your distribution CMake is older than that you can download a newer version fromhttps://cmake.org/download/
  • Optional: On Linux if you wish to enablesystemd integration make sure you havelibsystemd library and headers installed on your system. On APT systems use:
    sudo apt install libsystemd-dev
    On DNF systems use
    sudo dnf install systemd-devel

Building and installing

git clone https://github.com/gershnik/wsdd-native.gitcd wsdd-nativecmake -S. -B out -DCMAKE_BUILD_TYPE=RelWithDebInfo cmake --build outsudo cmake --install out --strip

Thewsddn executable will be installed into/usr/local/bin and manpage added to section 8 of the manual.

The following flags can be passed to CMake configure step:

  • -DWSDDN_PREFER_SYSTEM_LIBXML2=ON|OFF
  • -DWSDDN_PREFER_SYSTEM_FMT=ON|OFF
  • -DWSDDN_PREFER_SYSTEM_SPDLOG=ON|OFF
  • -DWSDDN_PREFER_SYSTEM_TOMLPLUSPLUS=ON|OFF

This controls whether to prefer system package version of 3rd party libraries or fetch and use them from sources.By default all dependencies are fetched and used from sources.

On Linux:

-DWSDDN_WITH_SYSTEMD="yes"|"no"|"auto".

This controls whether to enablesystemd integration. Auto performs auto-detection (this is the default).

Setting up daemon

Theconfig directory of this repo contains sample configuration files for different init systems (Systemd, Launchd, SysV init, FreeBSD and OpenBSD rc.d and OpenRC). You can adapt those as appropriate to your system.

Command line flags and configuration file entries are documented inman wsddn and onlinehere

Usage

Firewall Setup

Note: The following instructions are copied almost verbatim fromwsdd since the requirements are identical

Traffic for the following ports, directions and addresses must be allowed.

  • incoming and outgoing traffic toudp/3702 with multicast destination:
    • 239.255.255.250 for IPv4
    • ff02::c for IPv6
  • outgoing unicast traffic fromudp/3702
  • incoming totcp/5357

You should further restrict the traffic to the (link-)local subnet, e.g. by using thefe80::/10 address space for IPv6. Please note that IGMP traffic must be enabled in order to get IPv4 multicast traffic working.

For UFW and firewalld, application/service profiles can be found underconfig/firewalls. If using binary installation packages these are providedas part of the installation. Note that UFW profiles only allow to grant the traffic on specific UDP and TCP ports, but a restriction on the IP range (like link local for IPv6) or the multicast traffic is not possible.

Security

There are four main security concerns with a daemon that accepts network requests and delivers data about local machine over the network

  1. A bug inside the daemon code may allow a remote attacker to penetrate the machine running it.
  2. The information legitimately provided by the daemon will disclose something to an attacker that would otherwise remain unknown, enabling him to mount further attacks.
  3. A bug or even thenormal functionality of the daemon might allow a remote attacker to use it to mount further attacks against other systems. For example it might be possible to "convince" the daemon to become a part of a distributed denial of service (DDoS) attack.
  4. A bug or a normal operation of the daemon might allow a remote attacker to make it or even the entire machine hosting it unresponsive resulting in a denial of service.

Currently the implementation ignores the second concern. The thingswsdd-native discloses are the existence of the local host, its name, presence of Samba on it and domain/workgroup membership. All of these are generally disclosed by Samba itself via SMB broadcasts so, assuming the firewall is configured as described above, there is no net gain for an attacker. WS-Discovery protocol contains provisions for encrypting its HTTP traffic and potentially authenticating clients accessing your host via their client certificates. This limits exposure somewhat but at a significant configuration and maintenance cost. If there is interest in any of it it is possible to easily add this functionality in a future version.

The first concern is by far the most significant one. All software contains bugs and despite developer's best efforts there is always a risk that a bad actor can discover some kind of input that allows him to hijack the server process. To address this possibilitywsdd-native takes the following measures (apart from general secure coding practices):

  • The process performing network communications never runs as root. If launched as root it will create an unprivileged account (_wsddn:_wsddn orwsddn:wsddn based on platform conventions) and run network process under it.
  • Similarly when started as root the daemon will lock the network process in achroot jail (usually/var/empty or/var/run/wsddn or another platform appropriate location).

These measures are automatic and cannot be bypassed. Taken together they should limit the fallout of any vulnerability though, of course, nothing ever can be claimed to be 100% secure.

Note that when running onsystemd systems it is recommended to use itsDynamicUser facility instead of running as root and relying on the measures above. The Debian/Ubuntu/Fedora/Arch binary packages do so.

The third concern is also a significant one. Even in absence of any bugs a completely correct implementation of WS-Discovery protocol is known to be vulnerable to these kinds of attacks. See for examplehere andhere.Bugs (always a possibility) can make things even worse. As far as I know there is no effective mitigation to this threat thatwsdd-native can implement in code. The only way to prevent these kinds of attacks is tonever exposewsdd-native ports to open internet viafirewall configuration. Given that the whole purpose of this daemon is to enable interoperability with Windows via SMB protocol there is probably never a goodreason to let it accept and send traffic outside of a local network.

The fourth concern, while also present, is less severe than the above.wsdd-native is single threaded and so, even if overwhelmed by traffic, will not stress more than 1 CPU core. Its memory consumption is bounded so, in absence of bugs, it will not stress system memory either. It can itself be rendered unresponsive, of course, by too much traffic but, considering that it probably isn't a vital service for anyone, this isn't something that would excite any attacker. Possible bugs change this picture, however. If the network process is hijacked, even if mitigations for the 1st concern prevent further system penetration, the attacker can still make the network process consume too much CPU and memory. You can try to mitigate against this possibility by limiting daemon CPU and memory usage viacgroups or other mechanisms. However, a much simpler solution to these issues is the same as the above - never expose the daemon to the open internet.

Custom metadata

By defaultwsdd-native exposes the host it is running on as a computer in "Computer" section of Windows Explorer Network view. Clicking on a computer will attempt to access its shares via SMB protocol.

Instead of thiswsdd-native allows you to expose the host as a different kind of device among those supported by Windows Explorer, for example a media player, home security, printer etc. To do so you need to author a custom metadata XML and specify it via--metadata command line switch ormetadata field inwsddn.conf.

More details on this can be foundon this page.

Acknowledgements

wsdd-native is directly influenced bywsdd. While no source code from it was directly re-used in this project, many design and implementation ideas were; as well as command line design and some documentation content.

SeeAcknowledgements.md for information about open source libraries used in this project.

Reporting Bugs

Please use the GitHubissue tracker to report any bugs or suggestions.For vulnerability disclosures or other security concerns seeSecurity Policy

About

Make your macOS/Linux/BSD/illumos/HaikuOS machine visible in Network view of Windows Explorer

Topics

Resources

License

Security policy

Stars

Watchers

Forks

[8]ページ先頭
©2009-2025 Movatter.jp