Major Security Hole In Samsung Linux Drivers

GerbilSoft writes with news of a major security hole in Samsung's proprietary Linux printer drivers. From the Ubuntu Forums: "Just to inform you about a recent post on the French Ubuntu forum about Samsung drivers (sorry, in French). [Google translation here.] It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password. What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo." GerbilSoft adds: "Among the programs that it sets as setuid-root are OpenOffice, xsane, and xscanimage."

Lazy Design...

This sounds like a cheap hack. There is no need for these things to be setuid root, not on the program level. Sounds like someone is used to programming Windows drivers...

I'm tempted to infer something sinister about this, but then I remember the old adage "never attribute to malice what can be explained by stupidity." It keeps your blood pressure nice and low.

Re:Lazy Design...

The employee should be fired. They are the one who actually made the mistake, and who has shown they have no abilities. Managers shouldn't have to take the all the blame for their employees mistakes. If the manager has had a bad track record and this kind of thing happens too often, then maybe he should get fired, but you can't make the judgement that the manager should get fired every time an employee screws up.

Re:Flawed Design...

I'm going to reply to your post backwards, but you'll see why.

Unix security if just flawed and the flaw is called "root".

There is a fix for this flaw. It's called 'groups.'

Only when the little bugger of an hotplug-manager changes the user id for the scanner device to the logged on user. Which still only gives one user access to the scanner. Have my Wife remote logged in and only one of us can use the scanner.

This is distro-dependant. On Ubuntu, scanner access is controlled by groups. Want a user to be able to scan? You add them to the scanner group. You want someone to have access to burn CDs/DVDs? You add them to the cdrom group. If the scanner device is owned by any user, and owned by the group scanner, the permissions on the scanning device are set to group read/write, and both you and your wife are in the scanner group, then you both have access to the scanner. Try it yourself. Problem solved.

BTW--with SANE, the best way to have two people access the same scanner is via the saned network sharing mechanism, which allows other systems using xsane (or other sane front-end) to access the scanner over the network without having to remote login.

Re:Flawed Design...

Which is why most distros support POSIX ACLs...they are just not widely used. Ext2, Ext3, JFS, XFS, and ReiserFS all support ACLs (extended attributes). I believe NFS version 3 and 4 also support ACLs.

There are of course some other areas which ACL's don't address but there are pre-existing mechanisms to address those as well. Well, on most modern Unix/Linux systems anyways. The model has survived for so long for simple reasons; it's effective, simple and covers the vast majority of situations. When complex requirements come into light, more complex solutions exist. Most people just don't know about them.

Re:Lazy Design...

I can't tell you why the driver did what it did. However, from what I've read, the driver actually moves binaries to new locations and replaces them with a startup script which is set to run suid. That's way, way, way over the line. It breaks lots of stuff, like updates and patches. Someone doesn't deserver to be fired. Someone deserves to be tarred and feathered and banned from ever touching a computer again.

Re:Lazy Design...

Sounds like someone is used to programming Windows drivers...

No, it merely confirms that there are lazy programmers creating crap code for all OSes, including Linux.

Re:Lazy Design...

I think lazy is pretty generous. Putting setuid root on something as powerful as openoffice is flat-out retarded, period. These guys are driver writers, they should know better than this. I mean they, really ought to know better than this. It would be like Red hat dumping ssh and recommending telnet for remote shell access and transfer of sensitive information.

I don't see any reason to think something malicious of it, but I think this goes beyond stupidity. It's not quite as bad as distributing rootkits with your CDs, but I think it's getting there.

Re:Lazy Design...

A potential flaw in a linux driver from Samsung is blamed on MS, in 2 different manners no less, and it jets to +5.

Classic /.

How come an app can do that?

It seems extremely dangerous that a user can install something like that, with that kind of effects. Very insecure indeed. Can anyone explain why in the whole world something like this could ever happen, or is in fact an exploit/virus/worm?

Re:How come an app can do that?

It's a driver installation, so the ordinary user doesn't/can't do it.

However, it's a proprietary driver, that you need to install to use the printer, so if that's the printer you have people install it, expecting it not to create security holes.
This might have been discovered earlier, if it weren't for the closedness of the source.

My guess is that it happened due to a coder writing the driver so, it requires root to use it.
Then trying to guess which programs requires the driver, then setting those to run as root. Silly, but easy to do.

Sounds like it was done without peer review, so i guess they only have one guy writing their linux drivers..
So why is it proprietary? well some places printers are encouraged(required) by law (enforcement) to leave secret and invisible watermarks.
If it isn't done in the printer, it's done in the driver, if it's open, it'll be removed.

I agree, BUT

I agree with what you said, BUT...

Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.

This is uncalled for, because as can be see on the ubuntu forums [ubuntuforums.org] you can clearly see it was the "thousand eyes" reality that caught this problem in the first place and found the solution to remove parts from the install script.

wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc

And the content of the function for suid-making functions etc. So I have to disagree with you there.

I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.

Re:How come an app can do that?

An app running as root can do anything it wants - and installers normally do run as root. The same problem exists on every OS: the administrator and the programs he runs can do retarded things.

The question I want to ask is why there is a driver developer working for Samsung who is able to understand the function of the setuid bit but not the security implications of using it. It seems that there is a very special type of stupidity involved here, along with some extremely thoughtless design. Samsung is taking a big risk employing morons like that.

If the guy can't understand the security implications of the setuid bit, which are well documented and not that complex, he should not be writing software.

Windows coders

If I'm not mistaken, this is how Windows got as bad as it is.

This particular incident cannot be protested enough. If this sort of thing becomes common, End-user Linux will become as corrupted as Windows.

Re:Windows coders

No, that is not my point.

As the PC developed, IO calls were to be linked through the BIOS. The idea was that each device was to have a ROM that linked itself to the system's BIOS and that there would be a more unified system for handling I/O. Well, for most people, BIOS wasn't fast enough so people started writing code to work around it. And that's where the PC's "bad programming habits" began and it just got worse from there.

Now, instead of people using the Windows API properly, people are using undocumented APIs that are subject to undocumented change, people are still trying to squeeze more performance from their apps by moving code into ring-0 virtual driver code. If you don't already know, "ring-0" means the code has access to the entire machine and all memory. And when apps misbehave, they are flying without a net since the ring-1 and above offer levels of "protection" from misbehaving or malfunctioning apps.

This culture of performance over stability and proper coding methods has undermined the security and stability of Windows. I'm not going to assert whether or not Microsoft is partly to blame or has any blame in this. But I will say that Windows coders have bad habits that are quite common and prevalent.

As Linux coders grow in numbers, it is more and more important that things like abusing root or setting up kernel modules unnecessarily should be protested and prevented at every turn. To not fight it could result in the same problems and reputation that Windows now enjoys.

Re:Windows coders

Signing drivers has been proven to be ineffective for several reasons:

1. It has been shown that the signature can and has been forged
2. Unsigned drivers are still installable with only a warning given to the user at install time and the user has little to no choice but to install the unsigned driver if they wish to make use of whatever it is they are using.

the only benefit is "user awareness" and the effectiveness this may yield will vary by the quality of the user... and we more or less know what that leads to.

As far as your assertion that Linux can't do that? I'll leave that alone for now... you're about to be flooded with a number of other responses that are likely to be worded better than I ever could. But to be short, Linux can't "sign" drivers. Instead driver modules are to be compiled to match the specific kernel and will refuse with NO option by the user to over-ride that decision. So in a way, it's actually more secure. (This excludes the existence of DKMS or dynamic kernel module support which, if the user installs it, can neatly override this particular behavior from the kernel in a way but the kernel module/driver itself needs to be created within the framework of DKMS itself and all manner of other complications...so....)

suid is evil!

Once more boys and girls, say it with me now, SUID IS EVIL! :-)
Nothing but the programs that absolutely have to should be run as root.

Is there an English (not some auto-translated forum) site covering this? I think its talking about this suid run printer driver [openprinting.org]?

Re:suid is evil!

Once more boys and girls, say it with me now, SUID IS EVIL! :-)

SUID does not have to set id to root; my printing scripts are all setuid to "lp"; my mail servers are suid to "mail". This is a good thing.

TWW

Thank you!

A big "Thank You!" to Samsung for demonstrating that propriatory code is inherently less secure than open source, if only because you can (could) get away with insecure code.

Slipping

Am I imagining things, or are systems that are supposed to be more secure than others getting caught with their pants down alot more lately ?

Maybe all the boasting has got people feeling too comfortable, letting their guard down.

What were they trying to do?

What were they trying to do that made them think OpenOffice needs to be setuid:root?

Windows ME(tm)(r) Security(tm)(r)(c)(*) now available on Linux, brought to you by Samsung(tm)(r)

Install applications as root

I find it very disappointing anyway that anything you install on ubuntu is installed as root (at least that is the default way of doing it). Wouldn't it be übercool to be able to install applications as the local user, and drivers maybe as the "driver" user? I still think The Zero Install system [0install.net] is a nice and secure way to install software, and maybe one day we can extend this to install drivers as well, so that root access will almost never be required (a bit like Plan 9, or what SE Linux is trying to do).

Re:Install applications as root

Wouldn't change much really.

This works OK for a multiuser system. If you run systems with 100 users on each and one gets their home directory hosed, you restore from backups and problem solved. Everybody else continues having uninterrupted service meanwhile.

But on a personal box everything of importance is in $HOME anyway.

What is needed is something like SELinux, which makes it impossible for applications to do things they shouldn't be doing.

I say "something like" because SELinux is a very complicated system and AFAIK still badly documented. But it sounds like a step in the right direction.

Re:Install applications as root

If you allow the local user to install programs, then the local user is either;
a) going to need write access to all the usual locations (either /usr/bin and /usr/lib, or /opt) which wouldn't solve the problem TFA is on about
b) going to need to use some middleware that *does* have rwx access to /usr and a fine grained ACL system dictacting which users have access to what

"Driver" installs just need access to /lib.

Fact of the matter is that whatever user/process has the rights to install apps has the rights to fuck them up as well. Much like how windows can't help it if the user runs trojan_setup.exe.

As ther other poster noticed, things like SELinux offer incredibly fine grained access over what various users can and can't do, and if you go through the (fairly considerable) pain of setting it up it can give you an amazingly secure setup, but there's no way in hell it'd fly with everyday users or even most sysadmins. This is why Linux distros take such care with package management and like to retain control over their repositories - because they can't risk a third party, closed source package coming in and accidentally running a chmod -R 777 / on install. When you're dealing with companies that seemingly have little knowledge of Linux development and security models, this is a very real threat.

Re:Install applications as root

Synaptic (and APT) are system-wide software-management tools and thus require root privileges. OTOH, it would be cool to be able to allow any user to install a program for himself and still keep it under package management.

Let me be the first to say...

quoi le baise? (senseless translation of 'wtf')

Does anyone have _any_ idea why they did this?

Fortunately, I don't use the drivers supplied by Samsung for my printer. They are crap. The foomatic one works just fine, though.

to be fair

no user is going to be able to install such a dangerous "driver" without root access in the first place-- anyone can build a program, intentionally or accidently, that comprimises a system when ran/installed as root.

Re:to be fair

no user is going to be able to install such a dangerous "driver" without root access in the first place-- anyone can build a program, intentionally or accidently, that comprimises a system when ran/installed as root

Yes, but when you install a driver, you normally assume that it's not going to make your system insecure. Why should it? Only a very badly designed driver would deliberately break your system security.

Sometimes drivers do accidentally introduce security problems. The Nvidia drivers for X have done this in the past, for example. In those cases, it's not bad design, it's an oversight of some sort, like a buffer overflow.

But this is not an oversight. A deliberate design decision has been made to break the Linux security model. A very special type of stupidity is involved: one that includes an understanding of the effects of the setuid bit, but excludes an understanding of the security implications.

Samsung should investigate this fully - who knows what other retarded decisions have been made by these guys?

Ubuntu Forums Link

One buddy posted on Ubuntu forums:

http://ubuntuforums.org/showthread.php?t=500702 [ubuntuforums.org]

It come out...

For those who can't read French, the Ubuntu forum is just a posting of a link to another forum where it was noticed. The posting, along with the interesting source can be found at http://linuxfr.org/forums/15/22562.html [linuxfr.org] The interesting parts are:

wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage

wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc

The script copies the affected application's executable to one with a .bin extension, and replaces it with an suid wrapper script. This is undoable, but god, what a mess!

Okay, I couldn't overcome the lameness filter, go to the source to see for yourselves...

Bad...

but this was the first time I heard of Samsung having native Linux drivers so as long as they stop screwing up peoples systems they might get some good publicity out of this ironically though I'm not sure if they deserve it.

Without knowing much than what is in the article..

...I would not call this a mere bug. This was an intentional attempt to create a backdoor. Come on, who believes that a very specific driver of all things changes the permissions of a very unspecific program like OpenOffice? Something like that does not happen by accident.

Ok, I might be wrong with my accusation, but in this case I'd say I don't have to prove it, but Samsung has to prove its innocence by making public in details how exactly it came to this 'bug'.

Re:Without knowing much than what is in the articl

This was an intentional attempt to create a backdoor.

So when this same type of thing happens in Windows it's that Windows coders are inept but when the same happens in Linux it's because of a conspiracy? Please.

The Linux community better be damn well ready for when this becomes commonplace as more people use Linux. I don't expect it as much from real vendors but it's going to happen more from the likes of amateur coders and malware producers.

Too many have fallen pray to the myth that Linux isn't going to have some of the same issues that Windows has with these areas in software. This incident alone shows that Linux will not be immune to those who don't care enough, don't know enough or are willing enough to sacrifice system security for whatever reasons.

English Non-Google'd Translation

Hello,

After I installed the unified drivers for my Samsung printer/scanner, I had the unwelcome surprise of discovering that OpenOffice now opens as root, and not only that but did not ask for my password!

As a result, all documents I created were saved in the /root/ directory with super user rights. Practical and super secure!

I attempted to re-install .Xauthority without success.

The beast (the problem) is occuring under Ubuntu 7.04 under Gnome.

Thank You.

Bonjour,

Après avoir installé les drivers unifiés de Samsung pour gérer mon imprimante scanner, j'ai eu la très mauvaise surprise de constater que la suite openoffice s'ouvrait en root et ceci sans que me soit demandé le moindre mot de passe !!!

Du coup, les documents que je crée s'enregistrent dans le dossier /root/ avec des droits de super utilisateur. Pratique et super sécure !

A tout hasard j'ai réinitialisé le .Xauthority : aucun succès.

La bête est sous Ubuntu 7.04 et gnome. En attendant vote aide, je cherche et tente de résister au désespoir le plus sombre !

Merci

Time to Get Heavy

The proprietary driver fiasco has gone on far too long. It's time to stand up and say Enough Already!

Let's all get writing to our elected representatives and demand that hardware manufacturers be obliged, by law, to provide detailed specifications which would enable a sufficiently-competent programmer to write a driver program enabling any of the features of their product to be used on any sufficiently-capable computer.

Failure to do this places the rightful owners of hardware at a disadvantage. They can only use it in conjunction with certain Operating Systems. They are restricted to using it as the manufacturer thought fit. If a driver has a programming flaw, the user's computer can be compromised. If the Operating System is updated in such a way as the driver no longer works, the user is at the mercy of the manufacturer to release a new version of the driver -- or else the hardware is unusable (or at best, usable only through a bodge involving multi-booting: at the boot prompt, type linux to be able to use the Internet, or linuxOLD to be able to print).

It's unfortunate, but this measure really needs to be brought in through legislation, because manufacturers will not do it voluntarily. There are two reasons: (1) they are paranoid of competitors {despite the fact that their competitors are busy reverse-engineering their products in secret while they reverse-engineer the competitors' products} and (2) they habitually lie through their back teeth in their advertising literature about the capabilities of their hardware, and such lies would be exposed with disclosure (e.g. a camera with a 2 megapixel image sensor, spitting out JPEG images interpolated up to 6 megapixels).

Blown out of proportion?

Here is a posting to the Ubuntu forum that is SEVEN MONTHS old and refers to postings A YEAR OLD!

Printer drivers need to be installed with world execute permissions so that all users on the system can access the printer. The Samsung hacker's method of doing this, converting them to 4755 bin files and setting the original name as a link to the bin files, is one way of doing that -- IF his "unwrap" function had worked properly. That's the bug. Listed in the posting are files whose permissions need to be modified after the driver is installed.

#1
Old January 18th, 2007
tweedledee tweedledee is online now
Way Too Much Ubuntu

Join Date: Dec 2006
Beans: 252
Ubuntu 7.04 Feisty Fawn User
HOWTO Install Samsung Unified Printer Driver
I had a fair amount of trouble initially getting my Samsung printer installed completely, but I finally have it all done, so here's a mini-guide for those who might benefit.

NOTE: for the last few months, the Samsung website has been utilizing some buggy Flash code that will crash many (all?) Linux browsers that have Flash installed - hopefully they will fix this soon, but they don't seem in any hurry. Either use a secondary browser that does not have the Flash plugin installed (e.g., if you mainly use Firefox, you could use Epiphany (Gnome) or Konqueror (KDE)) or download the drivers via another computer/OS. Alternatively, again if you use Firefox, you can install the "flashblock" extension, usually this prevents the crash (and is useful for many of the other websites that have been appearing recently causing the same behavior, although it's not 100% successful).

EDIT: The newest (as of this writing) driver from Samsung (20070324...) appears to solve some of the mfp/xsane issues, but also appears to missing a couple of library files. See post #23 for details. Also see posts #27-29 for details on ...plc errors and solutions.
Post #35 suggets the 200704.... drivers have resolved this issue, so this may now be irrelevant.

First, a disclaimer: much of the information I used came from this thread: http://www.ubuntuforums.org/showthread.php?t=28774 7 [ubuntuforums.org]. Another good source of information is http://www.linuxprinting.org./ [www.linuxprinting.org] Finally, I did this using the 20060719... and 20070125.... drivers; newer (or older) drivers may require some tweaks. Also, especially if you have a monochrome, non-duplexing, non-multifunction printer, you very well may have success with a generic post-script printer as a driver, without having to install the Samsung drivers. Also note that for my printer, pretty much all functions except duplex control worked even if I skipped steps 2-4 below (i.e., don't install the driver, only the relevant .ppd file) - which also has the advantage of not needing to fix xsane (additional step 2).

This works for my CLP-550; similar steps seem to work for other Samsung printers not supported out-of-the-box with the drivers available in a fresh Ubuntu install. This is NOT a multi-function, multi-functions may require additional steps (but are discussed in other threads, a quick search should bring them up). Posts below from other users have reported sucess (sometimes with a couple of small modifications) with: ML-2510 (# 5, 14, 16, 26), ML-2510/XEU (# 18 ), ML-2571n (# 12), SCX-4200 (# 10), SCX-4521F (# 11), CLP-300 (# 35).

1. Download and untar the driver from Samsung's website; for this example I will assume you untar it to ~.
2. Open a terminal and navigate to ~/cdroot/Linux. I had to "chmod +w install.sh" to give write permissions, but that may be unusual. Edit install.sh as follows:
a: change the first line from "#! /bin/sh" to "#! /bin/bash" (without the quotes)
b (possibly not needed): change the line that includes "guiinstall.bin" (search for it, it's around line 1277) to eliminate the ".bin" (i.e

It also messes with the lpr command

I have a Samsung ML-2251N printer and the installer also replaces the standard lpr command by symlinking it to a script called slpr, which brings up a windows-like print GUI when you try to print things. This is highly annoying as it doesn't behave exactly like lpr and requires a GUI. It may also be SUID as well.

You can remove all of the SUID crap and point /usr/bin/lpr back to the right place. The proprietary driver still works and is much more secure. It prints faster with the Samsung driver than with the open source PCL driver. One day I might add true PostScript capabilities to it to try to work around both issues.

Keep in mind that the printer driver's control panel and other stuff that Samsung installs is also SUID. The SUID garbage happens even when installing a regular printer without the scanning capabilities.

I like that they at least tried to write a Linux driver, which is many steps further than a lot of companies, but it does need to stop stomping all over the system like a Windows application would.

Clue on what not to buy

Any printer that requires more than a PPD and CUPS to operate is suspect.

Great!

It can join the good company of General Protection Fault, or Kernel Panic

holy shi....

Samsung makes printers? That people actually buy?

May not be that big a problem

This may not be that big a problem -- at least for the Samsung color laser printers. Why not? Because the Linux installer for those printers seems to be unusable on many new Linuxes. The installer is dynamically linked to libraries that are no longer used and it apparently doesn't install properly when newer versions of the libraries are linked. It took me a number of days to get a CLP-300N printer working with the Samsung drivers. There is an alternate open source driver called foo2qpdl that does work.

My somewhat rambling notes on this subject are on the internet at http://donaldkenney.110mb.com/LPRINTER.HTM [110mb.com]. I plan to clean them up and correct the consistent misspelling of kubuntu ... someday. I posted the notes because I couldn't find any explanation anywhere of the Samsung message 'unable to find a suitable printer' or any thoughts on what to do about it other than to return the printer to the store.

Never trust third party packages

This is only an issue because Windows has moronised people into expecting that they must download an unverified, untrusted executable from a third party web site and execute it with full system privileges.

Thanks, Microsoft!

Stick with your distribution's official package archive and this simply won't happen.

The bug is that it doesn't properly UN-SUID them.

The bug is that the driver actually tries to UN-suid the applications: unwrap_setuid_third_party_application xsane unwrap_setuid_third_party_application xscanimage wrap_setuid_ooo_application soffice un wrap_setuid_ooo_application swriter un wrap_setuid_ooo_application simpress un wrap_setuid_ooo_application scalc un But they screwed up the oo unwrap part. The "un" should be BEFORE the "wrap" on those lines. It suids the apps temporarily, and improperly un-suids them.

Noticed this with CLP-510 last year

Bought a CLP-510 (cheap for a reason) last year only and got some experience with Samsung's linux driver because it supports only some proprietary Samsung format. The Samsung driver prints by setting up a filter chain which

1. converts everything to postscript, if not already (ghostscript)
2. convert postscript into an intermediate standard CMYK format (ghostscript again)
3. convert the intermediate format into a proprietary binary blob
4. write the blob to the printer device

Generating the binary blob uses a binary executable that is included with the driver package and is the only "secret sauce". Everything else is standard CUPS and related programs.

The SUID part comes from the Windowsification of the interface. They replace "lpr" with one that bring up a Windows-like printer config GUI. In, fact it, you can't print with it unless you're running X. The GUI writes the user's selections to the PPD in /etc/cups (which requires root permission) as well as to ~/.lpoptions. It also means that the next print user will start with the options selected by the previous user. Also annoying that duplexing (built-in) could not be controlled from software. I'm sure the Windows driver didn't have that problem.

In short order I replaced the 510 with a CLP-550 which supports postscript natively. I didn't bother with the Samsung driver, but when I found that the 550 didn't have enough memory to print a full-page graphic I extracted the needed components and ran the filter chain manually.

Samsung

It's a shame that companies just aren't bothering any more. Samsung is certainly one company that doesnt "get" linux but at one point it wasn't doing too bad. The ML-4500 I have even has a little Tux on the box and some CUPS PPD's on the CD.

As another post says, any printer that needs much more than a PPD is one to steer clear of anyway. It does bug me especially with printers... there are buckets of supported printing protocols that work cross-platform and even cross-printer (Postscript, PCL, for example). Yeah, some of them were made by a particular company foisting their own protocol on people but for the most part they are documented, complete, simple to support and cross-platform.

My ML-4500 is an odd device - it's not Postscript, not PCL, it even needs a tweak to the PPD supplied on most websites (including what was linuxprinting.org) or the CD to strip out extraneous page feeds at the end of the job. But there's code, PPD's and some hint that they were trying to do stuff properly for the Linux user of the time (as an aside, the driver on the CD mentions Linux 2.2 - they weren't that many companies supporting Linux printing back then). And it works. Very well. Even over a NetportExpress, with simultaneous Linux/Windows users randomly printing to it.

And the toners for the ML-4500 are combined toner/drum but they come with a little cap that you pop off, dump some generic toner in and carry on perfectly - my first toner/drum lasted 5 years, approximately 20 refills (totalling about $30 in all) and then started to fade a little bit in certain areas (I kept the toner/drum and use it as my emergency backup). Brand new toner/drum on eBay - about $30. That's already on it's third refill.

It's almost as if there was one man on the design team for that model who had brains and mostly got his way - but at critical points, hurdles were introduced by others (e.g. proprietry protocol, combined toner/drum) and he tried his best to overcome them (by making an OS driver for it, by designing an easy-to-use toner cap that you could refill with just about any toner you had laying around etc.).

Sounds like it's only for Ubuntu though...

Or any other OS that allows a user to sudo any command. Honestly, that idea was a bad idea. Sudo is great for some things, but it needs to be kept in check. I guess that's what visudo is for, but how many of the people that get pitched Ubuntu know about visudo and limiting sudo powers?

Alternate Install Method

The problem is entirely in the installer, not the driver.

After I bought an SCX-4100 a couple of years ago, I ran the installer. I saw right away that most of what the installer did was worthless. It installed some GUI that was simply inferior to CUPS+KDE. That made me mad, so I undid the effects of the installer and dissected it until I figured out what actually needed to be installed to just print and scan. The list of files required turns out to be pretty simple, as long as you connect via USB instead of the parallel port:

- /usr/lib/cups/backend/mfp

- /usr/lib/cups/filter/rastertosamsung{pcl,spl,splc}

- /usr/lib/libmfp.so*

- /usr/share/ppd/Samsung/scx4100.ppd.gz

- /usr/lib/sane/libsane-smfp.so*

- /etc/sane.d/smfp.conf

You can get all of these files out of the driver package. None of them need to be installed suid root or anything out of the ordinary. All you need is read/write access to /dev/usb/lp0 (provided by the usblp kernel module), which you can usually gain by being a member of group "lp" or whatever your distribution calls it. Also, you need a line in /etc/sane.d/dll.conf that contains "smfp" so that sane will look for libsane-smfp.so .

Use the normal CUPS and SANE configuration steps to set it up. If you're lucky, you can use http://localhost:631/ [localhost] , unless your distribution has disabled that method of configuration.

I blogged about this two years ago:

    http://hathawaymix.org/Weblog/2005-07-15 [hathawaymix.org]

Note that many of the details have changed. This post is more correct.

Even though I've avoided the setuid security hole by installing by hand, I'm still very irritated that I have to use proprietary binaries with who knows how many security holes. Next time I'm not going to settle for a proprietary driver. Samsung advertised Linux support and that's half the reason I bought the printer, but I didn't realize the driver was proprietary until I already had the printer.

Samsung, if you read this, listen up: I am happy with the speed and reliability of this printer (I've gone through 5-6 reams of paper and only 1 cartridge), and I am happy that you have added x86_64 support. However, if I had known that I would spend about 40 hours messing with your drivers just to get the printer to work, I would have bought an HP printer instead, even if it cost twice as much. I will not be a repeat customer and I will not recommend any of your printers to anyone else unless you open your drivers.

Management

Sounds like a managment problem to me.

Software Guys: Its not ready
Managers: You showed me a working copy
Software Guys: But it has major security holes
Managers: Dont care ship it.

Re:Red Alert!

4. This is the type of thing that usually happens on Windows.

The above shows just how similar the two really are.

Re:Red Alert!

In all seriousness, I would like to know the business case for not open sourcing these drivers. It seems to me they have everything to gain and nothing to lose. I can't imagine there's any significant technological secrets contained in the drivers themselves. The value they are selling is in the physical printers, and the drivers are just there to make the printers useful.

Why not open the drivers to a free process that will almost certainly improve them, and at the same time improve the company's image in the Linux community?

Re:Piece of crap

***There is a howto somewhere in the web how to NOP out this crap from the binary. And never use a vendor-installer of course ..***

In the case of Samsung color laser printers, you have to use the vendor -installer because if it runs, it sets up a /etc/linuxprint.cfg that is needed by the Samsung filter ppmtosplc. AFAICS, the format of linuxprint.cfg isn't documented. (either).

OTOH, at least with the CLP-300 you can use foo2splc instead of the Samsung drivers. And I believe that some of the other models work with splix.

Re:hahaha should have used windows

you lame ass kids should learn to use a real O/S like Vista.

Still have to make it run first :-)