Major Security Hole In Samsung Linux Drivers 295
GerbilSoft writes with news of a major security hole in Samsung's proprietary Linux printer drivers. From the Ubuntu Forums: "Just to inform you about a recent post on the French Ubuntu forum about Samsung drivers (sorry, in French). [Google translation here.] It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password. What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo." GerbilSoft adds: "Among the programs that it sets as setuid-root are OpenOffice, xsane, and xscanimage."
Lazy Design... (Score:5, Insightful)
I'm tempted to infer something sinister about this, but then I remember the old adage "never attribute to malice what can be explained by stupidity." It keeps your blood pressure nice and low.
Flawed Design... (Score:2, Informative)
Unix security if just flawed and the flaw is called "root".
Martin
Re: (Score:2, Informative)
Re:Flawed Design... (Score:5, Informative)
There is a fix for this flaw. It's called 'groups.'
This is distro-dependant. On Ubuntu, scanner access is controlled by groups. Want a user to be able to scan? You add them to the scanner group. You want someone to have access to burn CDs/DVDs? You add them to the cdrom group. If the scanner device is owned by any user, and owned by the group scanner, the permissions on the scanning device are set to group read/write, and both you and your wife are in the scanner group, then you both have access to the scanner. Try it yourself. Problem solved.
BTW--with SANE, the best way to have two people access the same scanner is via the saned network sharing mechanism, which allows other systems using xsane (or other sane front-end) to access the scanner over the network without having to remote login.
Re: (Score:2, Redundant)
There is a fix for this flaw. It's called 'groups.'
Groups don't fix the flaw of a superuser. Not only are groups the wrong ballpark to do so, they're not even playing the same game.
Re:Flawed Design... (Score:4, Insightful)
There are of course some other areas which ACL's don't address but there are pre-existing mechanisms to address those as well. Well, on most modern Unix/Linux systems anyways. The model has survived for so long for simple reasons; it's effective, simple and covers the vast majority of situations. When complex requirements come into light, more complex solutions exist. Most people just don't know about them.
Re: (Score:3, Interesting)
Which is why most distros support POSIX ACLs...they are just not widely used. Ext2, Ext3, JFS, XFS, and ReiserFS all support ACLs (extended attributes). I believe NFS version 3 and 4 also support ACLs. why most distros support POSIX ACLs...they are just not widely used. Ext2, Ext3, JFS, XFS, and ReiserFS all support ACLs (extended attributes). I believe NFS version 3 and 4 also support ACLs.
True, but until most GNU/Linux applications fully support ACLs, I highly recommend not using them and sticking wit
Re: (Score:3, Interesting)
The GGP post was citing the scanner situation as evidence for the "flaw of the superuser". The GP post explained why that evidence is not applicable, as it is solvable with standard practices of any well-managed distro. There is little point in saying that "groups don't fix the flaw of a superuser", since the GP explained exactly how groups *do* fix at least part of that "flaw".
Personally, I think that standard Unix security model is complicated enough as it is without using ACLs. Not to say that ACLs are
Re: (Score:3, Interesting)
That's why the inventors of Unix took it back out again when they did their next OS [bell-labs.com]
btw. it's dependent
Re: (Score:2)
Re: (Score:2)
The key qn. is:
Were these programs given elevated privileges in order for the Samsung device to work?
OR
The driver elevated privileges of programs unrelated to it's functioning.
If the latter is true, then Samsung needs to be conngratulated for highlighting the pitfalls of closed source drivers in Linux.
Re:Lazy Design... (Score:4, Informative)
Re:Lazy Design... (Score:4, Insightful)
Re:Moronic Managers (Score:3, Insightful)
In the mean time the fallout from all the insane things that "need" to be done is gaping security holes all over the place and a bunch of manager types saying 'but it doesn't matter, nobody will ever want to hack us'.
For the record I us
Re:Lazy Design... (Score:5, Interesting)
I don't see any reason to think something malicious of it, but I think this goes beyond stupidity. It's not quite as bad as distributing rootkits with your CDs, but I think it's getting there.
Re:Lazy Design... (Score:4, Insightful)
Classic
Re:Lazy Design... (Score:4, Insightful)
Re: (Score:3, Informative)
In my opinion, the manager is responsible for the conduct of the employees. Taking responsibility for those working under you is a fundamental part of good leadership. Its the manager's job to check the employee's work to make sure that it meets quality criteria. In this case the manager failed in his or her supervisory duties.
Re: (Score:2)
I agree. The higher responsibilities of managers are part of the reason for their higher salary.
If it wasn't a management decision to start with (Score:3, Informative)
How come an app can do that? (Score:2)
Re:How come an app can do that? (Score:5, Informative)
However, it's a proprietary driver, that you need to install to use the printer, so if that's the printer you have people install it, expecting it not to create security holes.
This might have been discovered earlier, if it weren't for the closedness of the source.
My guess is that it happened due to a coder writing the driver so, it requires root to use it.
Then trying to guess which programs requires the driver, then setting those to run as root. Silly, but easy to do.
Sounds like it was done without peer review, so i guess they only have one guy writing their linux drivers..
So why is it proprietary? well some places printers are encouraged(required) by law (enforcement) to leave secret and invisible watermarks.
If it isn't done in the printer, it's done in the driver, if it's open, it'll be removed.
Re: (Score:3, Insightful)
Really? It could not have been detected by noticing that OpenOffice is not SetUID? I believe there is even a package for linux that monitors binaries in
Stop with your lame "thousand eyes" theory. Apparently those thousan
Re: (Score:2, Insightful)
But it's been seen. Is that then proof of the thousand eyes theory?
(you fucking idiot)
Re: (Score:2)
Apparently someone did... else we would not be reading this story.
Re: (Score:2)
Re: (Score:2)
Actually, 'chmod' calls do tend to stand out. Anyone doing a security review of source code (and drivers do get that kind of attention) would note them.
I think one of the reasons this took a while to find is that it's so monumentally moronic no one would have believed anyone would actually try that. I'm still a bit dumbfounded, myself.
I agree, BUT (Score:5, Insightful)
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc
I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.
Re: (Score:2)
I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.
OpenBSD emails root every night with the results of the daily insecurity check, if it finds anything. One of the things it looks for is new setuid-root binaries. If this had been OpenBSD, then it would have been caught within 24 hours of being installed. I'm surprised Linux distributions don't include something similar already.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My experience of "things that email root every night with security checks" is that generally they trigger on so many false alarms that they are useless. Take logwatch for example - b
Re: (Score:2)
The only thing that will accomplish the effect you desire is a law demanding that every computer user has the right to view the Source Code o
Re: (Score:2)
"This inst_samsng_drv.sh wants to change entries in
I'm probably in the minority of desktop Linux users who has a reasonably comprehensive log/file scanning setup; AFAICR chkrootkit and rkhunter both have checks for suid programs, and I'd love to see both of these apps installe
Re: (Score:2)
Tripwire is mandatory in my shop (and checked daily), so I would have noticed. Then again I wouldn't be running such crap equipment that required such crap drivers.
Re: (Score:2)
It's lame and inexcusable.
Re: (Score:2, Insightful)
It seems extremely dangerous that a user can install something like that, with that kind of effects. Very insecure indeed. Can anyone explain why in the whole world something like this could ever happen, or is in fact an exploit/virus/worm?
It will require root privs to set up in the first place. It comes from the old UNIX method that "if you are privileged enough to have root, you should damn well know what you're doing." mindset. The problem is that apt-get, etc almost all require "root" or wheel access anyway to run. That means you're running a lot of program installers as root that probably you don't really trust enough to install in all parts of the system (see this as an example).
Re: (Score:2)
This would never happen if the driver was installed from the Debian package repository, because the Debian packaging policy does not allow packages to mess with each others files in this way.
Re:How come an app can do that? (Score:4, Insightful)
The question I want to ask is why there is a driver developer working for Samsung who is able to understand the function of the setuid bit but not the security implications of using it. It seems that there is a very special type of stupidity involved here, along with some extremely thoughtless design. Samsung is taking a big risk employing morons like that.
If the guy can't understand the security implications of the setuid bit, which are well documented and not that complex, he should not be writing software.
Re: (Score:2)
My guess: the programmer or programmers is/are more experienced with the Windows environment, where this sort of tom-foolery with permissions and privi
Re: (Score:2)
Really Windows-style.
Windows coders (Score:5, Insightful)
This particular incident cannot be protested enough. If this sort of thing becomes common, End-user Linux will become as corrupted as Windows.
Re: (Score:2, Interesting)
Your point is, Linux is good because only select people use it for select few apps. That's why Mac is good as well.
I suppose this is an example of a self-defeating prophecy: it's secure/stable, so use it! But if many use it, it's no longer secure/stable.
Re: (Score:2)
I suppose this is an example of a self-defeating prophecy: it's secure/stable, so use it! But if many use it, it's no longer secure/stable.
Not sure why I'm feeding a troll, but he never mentioned about Linux being good for a few apps. Linux (or the Unix multi-user security system) is good enough for the entire web, provided people who write apps do so in a transparent way. Doing things in clo
Re: (Score:2)
Maybe an MS shill or Apple fanboy or [insert tired cliche here] would call Linux useless. Good thing I didn't.
Would a Linux fanboy bend my words to fit his black-and-white world?
Re: (Score:2)
Re:Windows coders (Score:5, Interesting)
As the PC developed, IO calls were to be linked through the BIOS. The idea was that each device was to have a ROM that linked itself to the system's BIOS and that there would be a more unified system for handling I/O. Well, for most people, BIOS wasn't fast enough so people started writing code to work around it. And that's where the PC's "bad programming habits" began and it just got worse from there.
Now, instead of people using the Windows API properly, people are using undocumented APIs that are subject to undocumented change, people are still trying to squeeze more performance from their apps by moving code into ring-0 virtual driver code. If you don't already know, "ring-0" means the code has access to the entire machine and all memory. And when apps misbehave, they are flying without a net since the ring-1 and above offer levels of "protection" from misbehaving or malfunctioning apps.
This culture of performance over stability and proper coding methods has undermined the security and stability of Windows. I'm not going to assert whether or not Microsoft is partly to blame or has any blame in this. But I will say that Windows coders have bad habits that are quite common and prevalent.
As Linux coders grow in numbers, it is more and more important that things like abusing root or setting up kernel modules unnecessarily should be protested and prevented at every turn. To not fight it could result in the same problems and reputation that Windows now enjoys.
Re:Windows coders (Score:4, Interesting)
1. It has been shown that the signature can and has been forged
2. Unsigned drivers are still installable with only a warning given to the user at install time and the user has little to no choice but to install the unsigned driver if they wish to make use of whatever it is they are using.
the only benefit is "user awareness" and the effectiveness this may yield will vary by the quality of the user... and we more or less know what that leads to.
As far as your assertion that Linux can't do that? I'll leave that alone for now... you're about to be flooded with a number of other responses that are likely to be worded better than I ever could. But to be short, Linux can't "sign" drivers. Instead driver modules are to be compiled to match the specific kernel and will refuse with NO option by the user to over-ride that decision. So in a way, it's actually more secure. (This excludes the existence of DKMS or dynamic kernel module support which, if the user installs it, can neatly override this particular behavior from the kernel in a way but the kernel module/driver itself needs to be created within the framework of DKMS itself and all manner of other complications...so....)
Re: (Score:2)
Windows requires to run installers at elevated privilege levels to install things as trivial as a music players and, those, not rarely, intermingle themsel
Re: (Score:2)
Windows requires to run installers at elevated privilege levels to install things as trivial as a music players and, those, not rarely, intermingle themselves into the operating system in ways it makes impossible to get rid of them after you no longer need them.
Windows, like Linux, "requires" nothing of the sort.
Re: (Score:2)
We (that is, the ones who have used Linux since the days before it became all cuddly) use Linux because we want to keep full control of our systems -- and we know that i-tal software is the first of many steps towards that goal. But most people don't understand the implications of Closed vs. Open Source, and will choose -- because they don't know any better -- to pollute their system with a closed-s
Re: (Score:2)
If those driver's were Open Source, this would've been fixed by now and the Samsung programmer's would've been taught a small lesson in how to program properly. As it is, they're probably sitting there saying to themselves "Why does anybody care? It works, doesn't it? We did just fine and all these idiots are just nitpickers, why don't THEY write the stupid driver!"
The problem with Windows is the development model, not the number of people writing code for it.
Re: (Score:2)
The stupid population flocks to popular things. I mean, look at Slashdot before it was popular, and see the all the garbage it has now.
suid is evil! (Score:2, Informative)
Nothing but the programs that absolutely have to should be run as root.
Is there an English (not some auto-translated forum) site covering this? I think its talking about this suid run printer driver [openprinting.org]?
Re: (Score:2, Interesting)
Re: (Score:2)
No it isn't.
I write proprietary code for a living as do plenty of other people here I'm sure. Why should everybody have to release code as open source? Some of us would like to get paid for what we do without having to "add value" by offering support services as well.
In terms of Linux drivers there are several reasons why companies do not create or want open source drivers for their hardware. The most obvious one being that you are trying to keep exactly what the ha
Re:suid is evil! (Score:5, Informative)
SUID does not have to set id to root; my printing scripts are all setuid to "lp"; my mail servers are suid to "mail". This is a good thing.
TWW
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
There are very few programs that need to be setuid root (su, sudo). Most others should be using setgid and sensible device permissions.
Re: (Score:2)
That would be the incorrect way of setting device permissions. Device permissions should be set in udev (it has been like this for several years now since the static
Re: (Score:2)
Just because you've never bothered to pay attention to it & figure out how it is supposed to work, doesn't mean it's outdated or of poor quality. I have worked with administrators that don't know how to use groups properly, and they bitch & moan that nothing works right. With 10 minutes of resetting permissions & updating grou
Get a decent distro (Score:2)
Thank you! (Score:5, Funny)
Re: (Score:2)
A big "Thank You!" to you for the most of the world hating Linux.
Re: (Score:2)
Re: (Score:2)
Either way; anybody who can love or hate an OS needs to see a psychiatrist, just like you should if you love or hate a screwdriver, a hammer or any other tool.
Re: (Score:2)
Mmm, when your purchasing department gets a nice lunch in exchange for exclusively buying screwdrivers and you're forced to use the screwdrivers to hammer in nails all day long, I wouldnt be surprised if you develop some excessively strong emotions towards both screwdrivers and the manufacturer of said screwdrivers.
Wether it's entirely rational or constructive is perhaps questionable, but as far as mental health goes it sur
Re: (Score:2)
I guess you've never heard of an old UNIX compiler that inserted malicious code into otherwise clean source code, have you? Open source doesn't stop that, does it?
Re: (Score:2)
By "insecure code", people usually don't just mean unintended problems like buffer overflows but also about intentional functionality that cr
What were they trying to do? (Score:2, Funny)
Windows ME(tm)(r) Security(tm)(r)(c)(*) now available on Linux, brought to you by Samsung(tm)(r)
Install applications as root (Score:5, Interesting)
Re:Install applications as root (Score:5, Interesting)
This works OK for a multiuser system. If you run systems with 100 users on each and one gets their home directory hosed, you restore from backups and problem solved. Everybody else continues having uninterrupted service meanwhile.
But on a personal box everything of importance is in $HOME anyway.
What is needed is something like SELinux, which makes it impossible for applications to do things they shouldn't be doing.
I say "something like" because SELinux is a very complicated system and AFAIK still badly documented. But it sounds like a step in the right direction.
Re: (Score:2)
You know, things like text documents, browser bookmarks, saved games, source code not committed to a source control system, applications settings, passwords (in files used by password managers), music, video, homework...
My $HOME is somewhere about 50GB in size. Important things are backed up of course, but I can't back up 50GB every day.
Now application binaries on a single user system are unimportant. So long you can keep your data, a full reinstall of system components coul
Re: (Score:2)
Re:Install applications as root (Score:4, Informative)
a) going to need write access to all the usual locations (either
b) going to need to use some middleware that *does* have rwx access to
"Driver" installs just need access to
Fact of the matter is that whatever user/process has the rights to install apps has the rights to fuck them up as well. Much like how windows can't help it if the user runs trojan_setup.exe.
As ther other poster noticed, things like SELinux offer incredibly fine grained access over what various users can and can't do, and if you go through the (fairly considerable) pain of setting it up it can give you an amazingly secure setup, but there's no way in hell it'd fly with everyday users or even most sysadmins. This is why Linux distros take such care with package management and like to retain control over their repositories - because they can't risk a third party, closed source package coming in and accidentally running a chmod -R 777 / on install. When you're dealing with companies that seemingly have little knowledge of Linux development and security models, this is a very real threat.
Re:Install applications as root (Score:4, Interesting)
Let me be the first to say... (Score:2, Funny)
Does anyone have _any_ idea why they did this?
Fortunately, I don't use the drivers supplied by Samsung for my printer. They are crap. The foomatic one works just fine, though.
Re: (Score:2)
to be fair (Score:2)
Re:to be fair (Score:5, Insightful)
Yes, but when you install a driver, you normally assume that it's not going to make your system insecure. Why should it? Only a very badly designed driver would deliberately break your system security.
Sometimes drivers do accidentally introduce security problems. The Nvidia drivers for X have done this in the past, for example. In those cases, it's not bad design, it's an oversight of some sort, like a buffer overflow.
But this is not an oversight. A deliberate design decision has been made to break the Linux security model. A very special type of stupidity is involved: one that includes an understanding of the effects of the setuid bit, but excludes an understanding of the security implications.
Samsung should investigate this fully - who knows what other retarded decisions have been made by these guys?
It come out... (Score:5, Informative)
For those who can't read French, the Ubuntu forum is just a posting of a link to another forum where it was noticed. The posting, along with the interesting source can be found at http://linuxfr.org/forums/15/22562.html [linuxfr.org] The interesting parts are:
The script copies the affected application's executable to one with a .bin extension, and replaces it with an suid wrapper script. This is undoable, but god, what a mess!
Okay, I couldn't overcome the lameness filter, go to the source to see for yourselves...
Without knowing much than what is in the article.. (Score:2, Flamebait)
Ok, I might be wrong with my accusation, but in this case I'd say I don't have to prove it, but Samsung has to prove its innocence by making public in details how exactly it came to this 'bug'.
Re:Without knowing much than what is in the articl (Score:5, Insightful)
So when this same type of thing happens in Windows it's that Windows coders are inept but when the same happens in Linux it's because of a conspiracy? Please.
The Linux community better be damn well ready for when this becomes commonplace as more people use Linux. I don't expect it as much from real vendors but it's going to happen more from the likes of amateur coders and malware producers.
Too many have fallen pray to the myth that Linux isn't going to have some of the same issues that Windows has with these areas in software. This incident alone shows that Linux will not be immune to those who don't care enough, don't know enough or are willing enough to sacrifice system security for whatever reasons.
English Non-Google'd Translation (Score:4, Informative)
After I installed the unified drivers for my Samsung printer/scanner, I had the unwelcome surprise of discovering that OpenOffice now opens as root, and not only that but did not ask for my password!
As a result, all documents I created were saved in the
I attempted to re-install
The beast (the problem) is occuring under Ubuntu 7.04 under Gnome.
Thank You.
Après avoir installé les drivers unifiés de Samsung pour gérer mon imprimante scanner, j'ai eu la très mauvaise surprise de constater que la suite openoffice s'ouvrait en root et ceci sans que me soit demandé le moindre mot de passe !!!
Du coup, les documents que je crée s'enregistrent dans le dossier
A tout hasard j'ai réinitialisé le
La bête est sous Ubuntu 7.04 et gnome. En attendant vote aide, je cherche et tente de résister au désespoir le plus sombre !
Merci
Time to Get Heavy (Score:5, Insightful)
Let's all get writing to our elected representatives and demand that hardware manufacturers be obliged, by law, to provide detailed specifications which would enable a sufficiently-competent programmer to write a driver program enabling any of the features of their product to be used on any sufficiently-capable computer.
Failure to do this places the rightful owners of hardware at a disadvantage. They can only use it in conjunction with certain Operating Systems. They are restricted to using it as the manufacturer thought fit. If a driver has a programming flaw, the user's computer can be compromised. If the Operating System is updated in such a way as the driver no longer works, the user is at the mercy of the manufacturer to release a new version of the driver -- or else the hardware is unusable (or at best, usable only through a bodge involving multi-booting: at the boot prompt, type linux to be able to use the Internet, or linuxOLD to be able to print).
It's unfortunate, but this measure really needs to be brought in through legislation, because manufacturers will not do it voluntarily. There are two reasons: (1) they are paranoid of competitors {despite the fact that their competitors are busy reverse-engineering their products in secret while they reverse-engineer the competitors' products} and (2) they habitually lie through their back teeth in their advertising literature about the capabilities of their hardware, and such lies would be exposed with disclosure (e.g. a camera with a 2 megapixel image sensor, spitting out JPEG images interpolated up to 6 megapixels).
Re: (Score:3, Funny)
Blown out of proportion? (Score:5, Informative)
Printer drivers need to be installed with world execute permissions so that all users on the system can access the printer. The Samsung hacker's method of doing this, converting them to 4755 bin files and setting the original name as a link to the bin files, is one way of doing that -- IF his "unwrap" function had worked properly. That's the bug. Listed in the posting are files whose permissions need to be modified after the driver is installed.
It also messes with the lpr command (Score:2, Interesting)
You can remove all of the SUID crap and point
Clue on what not to buy (Score:2)
Great! (Score:2)
May not be that big a problem (Score:2)
Never trust third party packages (Score:2)
Thanks, Microsoft!
Stick with your distribution's official package archive and this simply won't happen.
The bug is that it doesn't properly UN-SUID them. (Score:2, Informative)
What's the purpose of this [expletive deleted]? (Score:3, Interesting)
OK, I read this message, and I can't understand why on earth any software would need to, even temporarily, set the setuid bit on anyone else's software. What's the purpose of this action?
Re: (Score:2)
The above shows just how similar the two really are.
Re: (Score:2)
No. Not really.
I had those drivers in a laptop some time ago because a client was dumb enough to buy equipment that had no decent Linux support. The fact highlights how bad it is to use the Windows approach of having to run installers at elevated privileges. Here, the only installer I run at elevated privileges is APT and it is reputed as quite safe.
As for Windows, you have to run such install
Re: (Score:3, Insightful)
In all seriousness, I would like to know the business case for not open sourcing these drivers. It seems to me they have everything to gain and nothing to lose. I can't imagine there's any significant technological secrets contained in the drivers themselves. The value they are selling is in the physical printers, and the drivers are just there to make the printers useful.
Why not open the drivers to a free process that will almost certainly improve them, and at the same time improve the company's image in
Re: (Score:2)
Back to work slave...
Re: (Score:2)
In the case of Samsung color laser printers, you have to use the vendor -installer because if it runs, it sets up a /etc/linuxprint.cfg that is needed by the Samsung filter ppmtosplc. AFAICS, the format of linuxprint.cfg isn't documented. (either).
OTOH, at least with the CLP-300 you can use foo2splc instead of the Samsung drivers. And I believe that some of the other model