Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Major Security Hole In Samsung Linux Drivers

kdawson posted more than 7 years ago | from the drive-a-truck-through dept.

Security 295

GerbilSoft writes with news of a major security hole in Samsung's proprietary Linux printer drivers. From the Ubuntu Forums: "Just to inform you about a recent post on the French Ubuntu forum about Samsung drivers (sorry, in French). [Google translation here.] It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password. What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo." GerbilSoft adds: "Among the programs that it sets as setuid-root are OpenOffice, xsane, and xscanimage."

Sorry! There are no comments related to the filter you selected.

girst gost! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19898993)

gol!

Lazy Design... (5, Insightful)

Azuma Hazuki (955769) | more than 7 years ago | (#19898995)

This sounds like a cheap hack. There is no need for these things to be setuid root, not on the program level. Sounds like someone is used to programming Windows drivers...

I'm tempted to infer something sinister about this, but then I remember the old adage "never attribute to malice what can be explained by stupidity." It keeps your blood pressure nice and low.

Re:Lazy Design... (1)

jimpop (27817) | more than 7 years ago | (#19899107)

Bingo. Someone should be fired at Samsung, specifically the manager who hired the programmer with out vetting their capabilities.

Re:Lazy Design... (3, Insightful)

CastrTroy (595695) | more than 7 years ago | (#19899625)

The employee should be fired. They are the one who actually made the mistake, and who has shown they have no abilities. Managers shouldn't have to take the all the blame for their employees mistakes. If the manager has had a bad track record and this kind of thing happens too often, then maybe he should get fired, but you can't make the judgement that the manager should get fired every time an employee screws up.

Flawed Design... (2, Informative)

krischik (781389) | more than 7 years ago | (#19899229)

Only when the little bugger of an hotplug-manager changes the user id for the scanner device to the logged on user. Which still only gives one user access to the scanner. Have my Wife remote logged in and only one of us can use the scanner.

Unix security if just flawed and the flaw is called "root".

Martin

Re:Flawed Design... (2, Informative)

Anonymous Coward | more than 7 years ago | (#19899307)

Maybe you should turn off the hotplug manager, or reconfigure it so it doesn't manage your scanner device? Why not set the scanner device to be owned by a group consisting of yourself and your wife? Then you could both use it, and neither of you would need to be root, and you wouldn't need any setuid binaries.

Re:Flawed Design... (5, Informative)

morgan_greywolf (835522) | more than 7 years ago | (#19899359)

I'm going to reply to your post backwards, but you'll see why.

Unix security if just flawed and the flaw is called "root".


There is a fix for this flaw. It's called 'groups.'

Only when the little bugger of an hotplug-manager changes the user id for the scanner device to the logged on user. Which still only gives one user access to the scanner. Have my Wife remote logged in and only one of us can use the scanner.


This is distro-dependant. On Ubuntu, scanner access is controlled by groups. Want a user to be able to scan? You add them to the scanner group. You want someone to have access to burn CDs/DVDs? You add them to the cdrom group. If the scanner device is owned by any user, and owned by the group scanner, the permissions on the scanning device are set to group read/write, and both you and your wife are in the scanner group, then you both have access to the scanner. Try it yourself. Problem solved.

BTW--with SANE, the best way to have two people access the same scanner is via the saned network sharing mechanism, which allows other systems using xsane (or other sane front-end) to access the scanner over the network without having to remote login.

Re:Flawed Design... (1, Redundant)

drsmithy (35869) | more than 7 years ago | (#19899601)

There is a fix for this flaw. It's called 'groups.'

Groups don't fix the flaw of a superuser. Not only are groups the wrong ballpark to do so, they're not even playing the same game.

Re:Flawed Design... (1)

cortana (588495) | more than 7 years ago | (#19899587)

Perhaps you should upgrade to a distro that is designed for use by multiple users:

$ lsusb -s 005:004
Bus 005 Device 004: ID 04a9:221c Canon, Inc.
 
$ ls -l /dev/bus/usb/005/004
crw-rw-r-- 1 root scanner 189, 515 2007-07-18 13:59 /dev/bus/usb/005/004
On Debian (and derived) systems this is done by udev.

Re:Lazy Design... (1)

jkrise (535370) | more than 7 years ago | (#19899251)

My thoughts exactly. Although, given Slashdot's tendency to sensationalise things (remember the JRE bug that could make everything vulnerable?) it could be a while before we can get to the truth of the matter.

The key qn. is:

Were these programs given elevated privileges in order for the Samsung device to work?
OR
The driver elevated privileges of programs unrelated to it's functioning.

If the latter is true, then Samsung needs to be conngratulated for highlighting the pitfalls of closed source drivers in Linux.

Re:Lazy Design... (3, Informative)

B'Trey (111263) | more than 7 years ago | (#19899579)

I can't tell you why the driver did what it did. However, from what I've read, the driver actually moves binaries to new locations and replaces them with a startup script which is set to run suid. That's way, way, way over the line. It breaks lots of stuff, like updates and patches. Someone doesn't deserver to be fired. Someone deserves to be tarred and feathered and banned from ever touching a computer again.

Re:Lazy Design... (4, Insightful)

EveryNickIsTaken (1054794) | more than 7 years ago | (#19899383)

Sounds like someone is used to programming Windows drivers...
No, it merely confirms that there are lazy programmers creating crap code for all OSes, including Linux.

Re:Moronic Managers (2, Insightful)

thegrassyknowl (762218) | more than 7 years ago | (#19899481)

I deal with this kind of crap in embedded Linux installs daily. Managers and marketoids want to do all sorts of insanely stupid things under the guise of "making it easy for the customer to configure the device within a maximum of 5 minutes with no technical knowledge", etc.

In the mean time the fallout from all the insane things that "need" to be done is gaping security holes all over the place and a bunch of manager types saying 'but it doesn't matter, nobody will ever want to hack us'.

For the record I used to work for a company which built Internet-accessible security products. Whenever there was a breach it was always my fault even though I told them that enabling a particular service to the greater world was risky and would require constant attention by a qualified Linux admin and also require a regular mandatory update schedule and code reviews to continue some level of security. They never wanted to do the regular updates or code reviews because it was so costly and updates inconvenience the customer (I'm sure less than a r00ted box, but explain that to marketoids).

Suffice to say I quit that job and am starting another with a company that actually cares about security over customer friendliness (and cares about their employees at least as much as their profit margin).

How come an app can do that? (1)

forgoil (104808) | more than 7 years ago | (#19899001)

It seems extremely dangerous that a user can install something like that, with that kind of effects. Very insecure indeed. Can anyone explain why in the whole world something like this could ever happen, or is in fact an exploit/virus/worm?

Re:How come an app can do that? (1)

siride (974284) | more than 7 years ago | (#19899059)

With Gentoo, packages cannot modify anything in the outside system. I don't know what precautions the .deb package system has, but based on what I see with RPM, I'm guessing not much.

Re:How come an app can do that? (1)

rbanffy (584143) | more than 7 years ago | (#19899337)

These are no packages. It's an installation program you run as root.

Really Windows-style.

Re:How come an app can do that? (4, Informative)

Xiph (723935) | more than 7 years ago | (#19899069)

It's a driver installation, so the ordinary user doesn't/can't do it.

However, it's a proprietary driver, that you need to install to use the printer, so if that's the printer you have people install it, expecting it not to create security holes.
This might have been discovered earlier, if it weren't for the closedness of the source.

My guess is that it happened due to a coder writing the driver so, it requires root to use it.
Then trying to guess which programs requires the driver, then setting those to run as root. Silly, but easy to do.

Sounds like it was done without peer review, so i guess they only have one guy writing their linux drivers..
So why is it proprietary? well some places printers are encouraged(required) by law (enforcement) to leave secret and invisible watermarks.
If it isn't done in the printer, it's done in the driver, if it's open, it'll be removed.

Re:How come an app can do that? (1)

Chrisq (894406) | more than 7 years ago | (#19899113)

This seems like a good argument for user space drivers. That way only the device driver for the peripheral connection needs to be installed by root, and the printer-specific stuff can be safely installed by users.

Re:How come an app can do that? (1)

siride (974284) | more than 7 years ago | (#19899257)

You do realize that userspace drivers and permissions are orthogonal concepts? Userspace drivers still would probably need to run as root to be able to properly access system resources.

Re:How come an app can do that? (2, Insightful)

plague3106 (71849) | more than 7 years ago | (#19899123)

This might have been discovered earlier, if it weren't for the closedness of the source.

Really? It could not have been detected by noticing that OpenOffice is not SetUID? I believe there is even a package for linux that monitors binaries in /bin, /usr, etc. and notifies you immediately if permissions have changed for anything. I know such a package was available for RedHat when I was using that. That could not have detected this sooner?

Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.

Re:How come an app can do that? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19899189)

Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.

But it's been seen. Is that then proof of the thousand eyes theory?

(you fucking idiot)

Re:How come an app can do that? (0)

Anonymous Coward | more than 7 years ago | (#19899219)

(you fucking idiot)

Great parenthetic slapdown -- bravo!

Re:How come an app can do that? (1)

Dr. Manhattan (29720) | more than 7 years ago | (#19899205)

Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.

Apparently someone did... else we would not be reading this story.

Re:How come an app can do that? (1)

plague3106 (71849) | more than 7 years ago | (#19899271)

Yes, eventually, but not as the OP claimed with This might have been discovered earlier.

I agree, BUT (5, Insightful)

PetriBORG (518266) | more than 7 years ago | (#19899217)

I agree with what you said, BUT...

Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.
This is uncalled for, because as can be see on the ubuntu forums [ubuntuforums.org] you can clearly see it was the "thousand eyes" reality that caught this problem in the first place and found the solution to remove parts from the install script.

wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc
And the content of the function for suid-making functions etc. So I have to disagree with you there.

I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.

Re:I agree, BUT (1)

TheRaven64 (641858) | more than 7 years ago | (#19899317)

I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.
OpenBSD emails root every night with the results of the daily insecurity check, if it finds anything. One of the things it looks for is new setuid-root binaries. If this had been OpenBSD, then it would have been caught within 24 hours of being installed. I'm surprised Linux distributions don't include something similar already.

Re:I agree, BUT (1)

PetriBORG (518266) | more than 7 years ago | (#19899431)

I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.
OpenBSD emails root every night with the results of the daily insecurity check, if it finds anything. One of the things it looks for is new setuid-root binaries. If this had been OpenBSD, then it would have been caught within 24 hours of being installed. I'm surprised Linux distributions don't include something similar already.

By default, I don't believe any of the mainstream ones do, or I am unaware of any. I absolutely think that Linux needs to be adopting a lot more secure settings and things to ensure that it doesn't turn into another windows box.

I suspect though that what the computer industry needs in general is a more user friendly model, a method to make security easier and transparent and thus understandable to the general user. A lot of that comes with by the computer setting up more secure default settings that still allow the user to do their work. Yet don't do the "allow or deny" crap that Vista does.

Re:I agree, BUT (1)

ajs318 (655362) | more than 7 years ago | (#19899533)

I suspect though that what the computer industry needs in general is a more user friendly model, a method to make security easier and transparent and thus understandable to the general user. A lot of that comes with by the computer setting up more secure default settings that still allow the user to do their work. Yet don't do the "allow or deny" crap that Vista does.
The only thing that will accomplish the effect you desire is a law demanding that every computer user has the right to view the Source Code of every program running on their system, or show it to an independent expert -- even if they don't have the right to make and pass on unlimited copies.

Keeping the Source Code secret from users is, to put it bluntly, a cunt's trick.

Re:I agree, BUT (1)

plague3106 (71849) | more than 7 years ago | (#19899327)

The post you linked to is only three days old. I wonder how long the drivers have been changing permissions. Likely longer than three days, probably for quite some time.

Your last statement though reminds me, the program which I spoke of in my previous post was actually called Tripwire, and its been bundled with Redhat for quite some time now. Well, at least the last version of Redhat / Mandriva that I used did. Perhaps they've since removed it.

So, such a package does exist (I already knew that, I wasn't being facesous), it just seems no one user it.

Re:I agree, BUT (1)

Megaweapon (25185) | more than 7 years ago | (#19899563)

So, such a package does exist (I already knew that, I wasn't being facesous), it just seems no one user it.

Tripwire is mandatory in my shop (and checked daily), so I would have noticed. Then again I wouldn't be running such crap equipment that required such crap drivers.

Re:I agree, BUT (1)

MrNemesis (587188) | more than 7 years ago | (#19899451)

I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this

"This inst_samsng_drv.sh wants to change entries in /bin, /usr/bin and /usr/lib. Cancel or Allow?" ;)

I'm probably in the minority of desktop Linux users who has a reasonably comprehensive log/file scanning setup; AFAICR chkrootkit and rkhunter both have checks for suid programs, and I'd love to see both of these apps installed and run by default (say, on shutdown) and generate a desktop alert of some description.

I still don't think that'd do much to stem this sort of problem though; if people run an installer, they're expecting it to be modifying certain files, and most desktop users of the fabled future aren't going to have the first idea of what changes should and shouldn't be being made.

As an aside, is there any echnical reason that Samsung can't provide the drivers as binary blobs and leave the packaging/installation to someone more competent? Heck, paying a Debian package maintainer $200 to do it would have generated a better package that'd be able to be used/adapted by practically every distro out there and would have avoided this PR-debacle-in-waiting.

Re:How come an app can do that? (1)

rbanffy (584143) | more than 7 years ago | (#19899375)

I would like to add that, had the driver writer done his/her job and made it to work the proper way (SANE for the scanner, CUPS/GhostScript for the printer) and maybe something more specific for the fax part, he would never, ever, face any problem.

It's lame and inexcusable.

Re:How come an app can do that? (0)

Anonymous Coward | more than 7 years ago | (#19899083)

It seems extremely dangerous that a user can install something like that, with that kind of effects.

You have to be root.

You dumbass.

Re:How come an app can do that? (0, Troll)

krischik (781389) | more than 7 years ago | (#19899089)

I expect that you install the drivers as root. The installation routine then sets suid to all applications which use a scanner.

And somehow I understand it - quite often I had to start xsane as root because the current user just was not able to access the scanner device - and I wanted that bloody scan now and not in half an hour problem searching session.

Martin

Re:How come an app can do that? (1)

TheCRAIGGERS (909877) | more than 7 years ago | (#19899301)

I'd say there's a big difference between somebody doing this knowingly, and a script that runs during an install that does it behind our backs.

Re:How come an app can do that? (2, Insightful)

PetriBORG (518266) | more than 7 years ago | (#19899093)

It seems extremely dangerous that a user can install something like that, with that kind of effects. Very insecure indeed. Can anyone explain why in the whole world something like this could ever happen, or is in fact an exploit/virus/worm?
It will require root privs to set up in the first place. It comes from the old UNIX method that "if you are privileged enough to have root, you should damn well know what you're doing." mindset. The problem is that apt-get, etc almost all require "root" or wheel access anyway to run. That means you're running a lot of program installers as root that probably you don't really trust enough to install in all parts of the system (see this as an example).

Re:How come an app can do that? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#19899119)

An app running as root can do anything it wants - and installers normally do run as root. The same problem exists on every OS: the administrator and the programs he runs can do retarded things.

The question I want to ask is why there is a driver developer working for Samsung who is able to understand the function of the setuid bit but not the security implications of using it. It seems that there is a very special type of stupidity involved here, along with some extremely thoughtless design. Samsung is taking a big risk employing morons like that.

If the guy can't understand the security implications of the setuid bit, which are well documented and not that complex, he should not be writing software.

Re:How come an app can do that? (1)

imroy (755) | more than 7 years ago | (#19899449)

The question I want to ask is why there is a driver developer working for Samsung who is able to understand the function of the setuid bit but not the security implications of using it. It seems that there is a very special type of stupidity involved here, along with some extremely thoughtless design. Samsung is taking a big risk employing morons like that.

My guess: the programmer or programmers is/are more experienced with the Windows environment, where this sort of tom-foolery with permissions and privileges is standard practice and often necessary. So they know that to get around some problem, certain programs have to run as root/administrator. But they are unaware (or minimally aware) of the decades of security vulnerabilities and their solutions that are a part of the UNIX world. It may sound like the standard Slashdot cop-out, but once again we can likely blame Microsoft for another security vulnerability, even though it does not involve their software at all!

Samsung security (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19899003)

Burbage dies on pg. 12
Hedwig dies on pg. 56
Mad-Eye dies on pg. 78
Scrimgeour dies on pg. 159
Wormtail dies on pg. 471
Dobby dies on pg. 476
Snape dies on pg. 658
Fred Weasley dies on pg. 637

Harry gets fucked up by Voldemort on pg. 704 but comes back to life on pg. 724

Tonks, Lupin, and Colin Creevy have their deaths confirmed on pg. 743

19 years after the events in the book:

Ron has married Hermione, their two children are named Rose and Hugo

Harry has married Ginny, their three children are named Lily, James, and Albus Severus.

Draco Malfoy has a son named Scorpius

  The epilogue shows all of the children boarding the train for Hogwarts together.

The final lines of the book are: "The scar had not pained Harry for 18 years. All was well."

Plot Spoilers
Part of Voldemort's soul was implanted into Harry whenever he used Ara Kadvara on him when he was a baby. Harry then sacrafices himself a la Lilly Potter style, which allows him to kill Voldemort without killing himself. He also has hacks (stone to bring him back to life, and an uber wand).

  Snape went to the good side (Hogwarts, etc.) because he was all emo that Voldemort killed Lilly Potter.

Harry has three kids with Ginny. Ron and Hermoine fall in love.

I smell conspiracy... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19899007)

I bet Microsoft paid them to that so that then they'll be able to say Linux is less secure (in this case just as secure) as their crappy Windows.

Windows coders (5, Insightful)

erroneus (253617) | more than 7 years ago | (#19899011)

If I'm not mistaken, this is how Windows got as bad as it is.

This particular incident cannot be protested enough. If this sort of thing becomes common, End-user Linux will become as corrupted as Windows.

Re:Windows coders (2, Interesting)

suv4x4 (956391) | more than 7 years ago | (#19899097)

This particular incident cannot be protested enough. If this sort of thing becomes common, End-user Linux will become as corrupted as Windows.

Your point is, Linux is good because only select people use it for select few apps. That's why Mac is good as well.

I suppose this is an example of a self-defeating prophecy: it's secure/stable, so use it! But if many use it, it's no longer secure/stable.

Re:Windows coders (1)

jkrise (535370) | more than 7 years ago | (#19899193)

Your point is, Linux is good because only select people use it for select few apps. That's why Mac is good as well.

I suppose this is an example of a self-defeating prophecy: it's secure/stable, so use it! But if many use it, it's no longer secure/stable.


Not sure why I'm feeding a troll, but he never mentioned about Linux being good for a few apps. Linux (or the Unix multi-user security system) is good enough for the entire web, provided people who write apps do so in a transparent way. Doing things in closed-source proprietary drivers and calling the operating system useless is a bit disingenious - but something an MS shill or Apple fanboy would do.

Re:Windows coders (1)

suv4x4 (956391) | more than 7 years ago | (#19899223)

Doing things in closed-source proprietary drivers and calling the operating system useless is a bit disingenious - but something an MS shill or Apple fanboy would do.

Maybe an MS shill or Apple fanboy or [insert tired cliche here] would call Linux useless. Good thing I didn't.

Would a Linux fanboy bend my words to fit his black-and-white world?

Re:Windows coders (1)

CaptnMArk (9003) | more than 7 years ago | (#19899245)

No, the problem is people programming applications using the principle of least resistance.

Re:Windows coders (5, Interesting)

erroneus (253617) | more than 7 years ago | (#19899277)

No, that is not my point.

As the PC developed, IO calls were to be linked through the BIOS. The idea was that each device was to have a ROM that linked itself to the system's BIOS and that there would be a more unified system for handling I/O. Well, for most people, BIOS wasn't fast enough so people started writing code to work around it. And that's where the PC's "bad programming habits" began and it just got worse from there.

Now, instead of people using the Windows API properly, people are using undocumented APIs that are subject to undocumented change, people are still trying to squeeze more performance from their apps by moving code into ring-0 virtual driver code. If you don't already know, "ring-0" means the code has access to the entire machine and all memory. And when apps misbehave, they are flying without a net since the ring-1 and above offer levels of "protection" from misbehaving or malfunctioning apps.

This culture of performance over stability and proper coding methods has undermined the security and stability of Windows. I'm not going to assert whether or not Microsoft is partly to blame or has any blame in this. But I will say that Windows coders have bad habits that are quite common and prevalent.

As Linux coders grow in numbers, it is more and more important that things like abusing root or setting up kernel modules unnecessarily should be protested and prevented at every turn. To not fight it could result in the same problems and reputation that Windows now enjoys.

Re:Windows coders (0)

Anonymous Coward | more than 7 years ago | (#19899303)

Oh, bullcrap!

It was stupid when programmers did it under Windows and it is stupid when they do it now under Linux. It has nothing to do with popularity!

Re:Windows coders (1)

rbanffy (584143) | more than 7 years ago | (#19899483)

No. It's still far more secure than Windows (or Macintosh, largely), since, in this case, you have to run a proprietary installer for a particular brand of printer/scanner I happen not to use (and that I won't recommend to anyone) and not use the mechanisms for software management built into any modern operating system (such as Red Hat, Debian or Gentoo).

Windows requires to run installers at elevated privilege levels to install things as trivial as a music players and, those, not rarely, intermingle themselves into the operating system in ways it makes impossible to get rid of them after you no longer need them.

suid is evil! (2, Informative)

PetriBORG (518266) | more than 7 years ago | (#19899017)

Once more boys and girls, say it with me now, SUID IS EVIL! :-)
Nothing but the programs that absolutely have to should be run as root.

Is there an English (not some auto-translated forum) site covering this? I think its talking about this suid run printer driver [openprinting.org] ?

Re:suid is evil! (2, Interesting)

StripedCow (776465) | more than 7 years ago | (#19899053)

And repeat after me: "proprietary" is even more evil than suid!

Re:suid is evil! (1)

PetriBORG (518266) | more than 7 years ago | (#19899139)

And repeat after me: "proprietary" is even more evil than suid!
HEH! Yes I agree with you, I've running 100% linux for a long time now for that reason. With that said though, there are lots of complicated pieces of code that I and everyone else just "trust" to work. Part of that trust comes from it being OSS, but a larger part I'd hope comes from a history of good work on the source's part.

Re:suid is evil! (1)

Ash Vince (602485) | more than 7 years ago | (#19899343)

"proprietary" is even more evil than suid!

No it isn't.

I write proprietary code for a living as do plenty of other people here I'm sure. Why should everybody have to release code as open source? Some of us would like to get paid for what we do without having to "add value" by offering support services as well.

In terms of Linux drivers there are several reasons why companies do not create or want open source drivers for their hardware. The most obvious one being that you are trying to keep exactly what the hardware does secret to make it harder for your competition to copy its functionality.

Personally I don't give a shit whether the drivers on my system are open or closed source, I just want them to work and closely match the functionality of the windows drivers.

I have no interest in looking through the code that makes up every driver on my Linux box any more than I would like to do a code audit on every version of Linux kernel before I compile it. Are you going to tell me that you have looked through the code for the various open source apps you use or do you take most of them on trust just like proprietary apps? Certainly for me this is far too much like what I do for a living to do it every night when I get home as well.

I would not want to use this particular driver as it is quite obviously a worthless piece of badly written junk but this does not mean that all proprietrary drivers need to be. Also note that this driver was revealed to be a piece of crap without needing access to the source code.

For a good example of a closed source driver check out the nvidia driver. It works and has never casued me any problems. I know it has had some security holes in it but so have plenty of open source drivers.

I do think that the open source usually produces better quality software if the project is well maintained, but not this model is not suitable for every piece of code produced.

Re:suid is evil! (4, Informative)

nagora (177841) | more than 7 years ago | (#19899121)

Once more boys and girls, say it with me now, SUID IS EVIL! :-)

SUID does not have to set id to root; my printing scripts are all setuid to "lp"; my mail servers are suid to "mail". This is a good thing.

TWW

Re:suid is evil! (1)

PetriBORG (518266) | more than 7 years ago | (#19899319)

SUID does not have to set id to root; my printing scripts are all setuid to "lp"; my mail servers are suid to "mail". This is a good thing.

Yeah, true enough, but in the context we're all talking about, we're talking about suid as root specifically. Since suid just runs as the owner of said executable and this executable is owned by root for no good reason, again we see the problem ey? I should have probably been more careful/specific though yes.

Linux security (1)

krischik (781389) | more than 7 years ago | (#19899195)

Year that's the theory - in praxis I quite often have to start xsane as root because - for whatever reason - the scanner device security is set to:

brw-rw---- root disk

Unix security is just not up to today's desktop hardware with scanners, usb stick and whatever else. The inflexible root-centred security system is no good for hot-plugin.

I like this little trivia: http://en.wikipedia.org/wiki/Unix#1970s [wikipedia.org] - Multics - multi-user-os - unics - uni-user-os. And it is still that way - root is the only true user the rest are just cripple.

Martin

Re:Linux security (2, Insightful)

siride (974284) | more than 7 years ago | (#19899311)

That's quite the misinterpretation of the name Unix. It really was just a joke: "Unix is one of whatever Multics is many of". It doesn't have anything to do with whether the system is multi-user or not. Unix is most definitely a multi-user system. The old style permissions are definitely becoming a problem, but there are solutions such as ACLs, SELinux and beyond. They have just yet to be used in any great degree on the desktop Linuxes. Perhaps incidents like this will push Linux distributors to start using these technologies. BTW, for your little problem, just make sure you are in the disk group and everything will work. That's the whole point of why it is set that way...so that only users who are in that group can access the device (or root), and users outside of the group can't. Admittedly, it probably shouldn't be disk. That's a udev problem, but that can be fixed in a config file, which sets permissions and ownership for device nodes.

Re:Linux security (1)

TheRaven64 (641858) | more than 7 years ago | (#19899371)

Rather than setting xsane as setuid, couldn't you add a line to your init script that sets the group of the scanner device to a 'scanner users' group, and add any users who were meant to be able to use the scanner to this group? Or setgid the xsane program into this group and not have any users in it, so anyone can access the scanner but only if they use xsane?

There are very few programs that need to be setuid root (su, sudo). Most others should be using setgid and sensible device permissions.

You said this earlier and ignored the answer (0)

Anonymous Coward | more than 7 years ago | (#19899455)

Why did you say it again?

You can see with the XServer how to do it: the server is run as root, the direct hardware DRI access is set to "root:video" and any user who is part of the "Video" group and run DRI calls.

Re:Linux security (1)

include($dysmas) (729935) | more than 7 years ago | (#19899585)

you shoot .... you miss.

in the paragraph above the one linked : "Multiplexed Information and Computing Service"

Re:Linux security (1)

tinkerghost (944862) | more than 7 years ago | (#19899635)

Unix security is just not up to today's desktop hardware with scanners, usb stick and whatever else. The inflexible root-centred security system is no good for hot-plugin.

Just because you've never bothered to pay attention to it & figure out how it is supposed to work, doesn't mean it's outdated or of poor quality. I have worked with administrators that don't know how to use groups properly, and they bitch & moan that nothing works right. With 10 minutes of resetting permissions & updating groups, I can fix 4 hours of 'fixing'. If you set them up correctly & maintain them, groups solve 90% of your problems with security.

The key is having a plan & putting the effort into maintaining groups properly. One place I worked wouldn't let IT remove old user accounts when someone left - they would give the new person their own account & then the UN/PW of all the people that had the job before them so they could "check the old files". What they needed was a group for the position, and then add/remove people from the group as needed. Hell they have email addresses for people who quit 6 years ago - actively being checked as independant accounts instead of being aliased to the person who has the posision.

Bluntly, it's a security nightmare that could be solved with some propper planning & an understanding of the actual security model the system uses.

Thank you! (4, Funny)

mwvdlee (775178) | more than 7 years ago | (#19899031)

A big "Thank You!" to Samsung for demonstrating that propriatory code is inherently less secure than open source, if only because you can (could) get away with insecure code.

Re:Thank you! (1)

suv4x4 (956391) | more than 7 years ago | (#19899063)

A big "Thank You!" to Samsung for demonstrating that propriatory code is inherently less secure than open source, if only because you can (could) get away with insecure code.

A big "Thank You!" to you for the most of the world hating Linux.

Re:Thank you! (0, Offtopic)

mwvdlee (775178) | more than 7 years ago | (#19899129)

The you are the welcome.

Re:Thank you! (1)

phoenixwade (997892) | more than 7 years ago | (#19899141)

A big "Thank You!" to you for the most of the world hating Linux.
there are over 6 billion people in this world. "most" would have to be more than half.... So you are asserting that more than three billion people hate Linux? Thank you for pulling another stupid statistic out of your ass..... I'd think you've be hard pressed to prove that more than half of the world even knows what Linux is, much less "Hating" it....

Re:Thank you! (1)

mwvdlee (775178) | more than 7 years ago | (#19899209)

I actually feel kinda proud that he blames me personally for making 3 billion people hate Linux... imagine what else I could do with such enormous powers of persuasion? :)

Either way; anybody who can love or hate an OS needs to see a psychiatrist, just like you should if you love or hate a screwdriver, a hammer or any other tool.

Re:Thank you! (1)

Znork (31774) | more than 7 years ago | (#19899479)

"just like you should if you love or hate a screwdriver, a hammer or any other tool."

Mmm, when your purchasing department gets a nice lunch in exchange for exclusively buying screwdrivers and you're forced to use the screwdrivers to hammer in nails all day long, I wouldnt be surprised if you develop some excessively strong emotions towards both screwdrivers and the manufacturer of said screwdrivers.

Wether it's entirely rational or constructive is perhaps questionable, but as far as mental health goes it sure beats beating in the heads of the purchasing department personell with a fine selection of hammers. Such affect displacement is a common coping strategy and often quite healthy when the appropriate targets for the affect are even less suitable for various reasons.

Re:Thank you! (1)

plague3106 (71849) | more than 7 years ago | (#19899161)

Wow, nice spin. The code itself is secure I image. I didn't notice in the translation that the driver itself was vunerable to an attack, just that the installer changed file permissions it shouldn't have. So this has nothing to do or not whether the code itself is secure, it has to do with what the binary is doing.

I guess you've never heard of an old UNIX compiler that inserted malicious code into otherwise clean source code, have you? Open source doesn't stop that, does it?

Re:Thank you! (1)

mwvdlee (775178) | more than 7 years ago | (#19899273)

Yes, I know about that GCC hack (i'm assuming this is what you mean since you mention both UNIX and open source) and about the trouble they had getting it out. But they did get it out. So yes, even open source can contain bad code. We're all only human after all. But it does get a lot harder to keep such things hidden, and when found it's a lot easier to get rid of it.

By "insecure code", people usually don't just mean unintended problems like buffer overflows but also about intentional functionality that creates security risks.

Slipping (0, Flamebait)

Joebert (946227) | more than 7 years ago | (#19899039)

Am I imagining things, or are systems that are supposed to be more secure than others getting caught with their pants down alot more lately ?

Maybe all the boasting has got people feeling too comfortable, letting their guard down.

Re:Slipping (1)

Slashcrap (869349) | more than 7 years ago | (#19899617)

Am I imagining things, or are systems that are supposed to be more secure than others getting caught with their pants down alot more lately ?

I'm guessing that you have nothing of interest to add to this discussion, or any discussion about security and are simply looking for cheap karma or to start a hugely tedious argument that we've all read a thousand times before.

As an alternative why don't you fly over to the UK and suck my big hairy cock, and in return I will promise to mod up one of your posts the next time I get the opportunity. You achieve your objectives and it will be a lot less annoying for everyone else.

Red Alert! (0, Flamebait)

suv4x4 (956391) | more than 7 years ago | (#19899041)

"Major Security Hole In Samsung Linux Drivers"

Something possibly bad about Linux! I don't have time to analyze what happened, so I'll just shoot some of my best knee-jerk responses:

1. Because they're not open source! You see how only binary stuff is bad in Linux!
2. Samsung did it to undermine Linux!
3. Good, it shows someone cares and possibly uses Samsung's Linux drivers!

All of the above proves conclusively how great Linux is.

Re:Red Alert! (1)

Joebert (946227) | more than 7 years ago | (#19899101)

4. This is the type of thing that usually happens on Windows.

The above shows just how similar the two really are.

Re:Red Alert! (0)

Anonymous Coward | more than 7 years ago | (#19899109)

Just because an answer is in the form of a knee-jerk response, doesn't mean its not factually true. I'd say that you got 2 out of 3 right.

Re:Red Alert! (2, Insightful)

CopaceticOpus (965603) | more than 7 years ago | (#19899275)

In all seriousness, I would like to know the business case for not open sourcing these drivers. It seems to me they have everything to gain and nothing to lose. I can't imagine there's any significant technological secrets contained in the drivers themselves. The value they are selling is in the physical printers, and the drivers are just there to make the printers useful.

Why not open the drivers to a free process that will almost certainly improve them, and at the same time improve the company's image in the Linux community?

Re:Red Alert! (1)

TheCRAIGGERS (909877) | more than 7 years ago | (#19899399)

I'm guessing it has way more to do with managers not knowing what OSS is, rather than an actual decision made with full knowledge to keep it closed.

What were they trying to do? (2, Funny)

Anonymous Coward | more than 7 years ago | (#19899045)

What were they trying to do that made them think OpenOffice needs to be setuid:root?

Windows ME(tm)(r) Security(tm)(r)(c)(*) now available on Linux, brought to you by Samsung(tm)(r)

Piece of crap (0)

Anonymous Coward | more than 7 years ago | (#19899061)

The reason is most likely that this piece of crap driver tries to do ioperm calls on the parport (for USB printers!) and needs root for that. There is a howto somewhere in the web how to NOP out this crap from the binary. And never use a vendor-installer of course ..

Install applications as root (5, Interesting)

Simon (S2) (600188) | more than 7 years ago | (#19899067)

I find it very disappointing anyway that anything you install on ubuntu is installed as root (at least that is the default way of doing it). Wouldn't it be übercool to be able to install applications as the local user, and drivers maybe as the "driver" user? I still think The Zero Install system [0install.net] is a nice and secure way to install software, and maybe one day we can extend this to install drivers as well, so that root access will almost never be required (a bit like Plan 9, or what SE Linux is trying to do).

Re:Install applications as root (4, Interesting)

vadim_t (324782) | more than 7 years ago | (#19899213)

Wouldn't change much really.

This works OK for a multiuser system. If you run systems with 100 users on each and one gets their home directory hosed, you restore from backups and problem solved. Everybody else continues having uninterrupted service meanwhile.

But on a personal box everything of importance is in $HOME anyway.

What is needed is something like SELinux, which makes it impossible for applications to do things they shouldn't be doing.

I say "something like" because SELinux is a very complicated system and AFAIK still badly documented. But it sounds like a step in the right direction.

Re:Install applications as root (1)

nrgy (835451) | more than 7 years ago | (#19899363)

I don't mean to disagree but everything of importance? All the apps I use are NOT located inside home and you can blame this on the companies that makes some of these but most do not like being outside /usr/local/*, if they do then I have to start messing with env variables which defeats the "It just works" linux has started to achieve. I wish all applications like gimp, xchat, etc installed into home instead of /usr/whatever.

I'm sure someone will chime in as to why its better or cooler to install in /usr/whatever but as a desktop os I kinda like how Apple does things when it comes to install locations. It would be nice to know $HOME/Applications stores all my installed software, one central location for all my applications instead of /opt/*, /usr/local, /usr/local/share, /usr/local/games etc. Like I said someone will probably tell me why I'm wrong for wanting this but for the average joe like myself it doesn't make sense.

Re:Install applications as root (1)

vadim_t (324782) | more than 7 years ago | (#19899459)

Everything of importance == DATA.

You know, things like text documents, browser bookmarks, saved games, source code not committed to a source control system, applications settings, passwords (in files used by password managers), music, video, homework...

My $HOME is somewhere about 50GB in size. Important things are backed up of course, but I can't back up 50GB every day.

Now application binaries on a single user system are unimportant. So long you can keep your data, a full reinstall of system components could be done very quickly, unless you're running something like gentoo. Just backup your list of packages, batch install all of that, and if you kept your $HOME you can be back running in an hour or two.

Re:Install applications as root (1)

Depili (749436) | more than 7 years ago | (#19899313)

Installing software as non-root is certainly possible, the distrowide package manager just can't do it without write access to the package database and software directories (having them world-writable would just be bad), but with little tweaking of dpkg or compiling the software yourself non-root users can install and run everything that doesn't require root access.

Re:Install applications as root (3, Informative)

MrNemesis (587188) | more than 7 years ago | (#19899355)

If you allow the local user to install programs, then the local user is either;
a) going to need write access to all the usual locations (either /usr/bin and /usr/lib, or /opt) which wouldn't solve the problem TFA is on about
b) going to need to use some middleware that *does* have rwx access to /usr and a fine grained ACL system dictacting which users have access to what

"Driver" installs just need access to /lib.

Fact of the matter is that whatever user/process has the rights to install apps has the rights to fuck them up as well. Much like how windows can't help it if the user runs trojan_setup.exe.

As ther other poster noticed, things like SELinux offer incredibly fine grained access over what various users can and can't do, and if you go through the (fairly considerable) pain of setting it up it can give you an amazingly secure setup, but there's no way in hell it'd fly with everyday users or even most sysadmins. This is why Linux distros take such care with package management and like to retain control over their repositories - because they can't risk a third party, closed source package coming in and accidentally running a chmod -R 777 / on install. When you're dealing with companies that seemingly have little knowledge of Linux development and security models, this is a very real threat.

Let me be the first to say... (1, Funny)

RAMMS+EIN (578166) | more than 7 years ago | (#19899071)

quoi le baise? (senseless translation of 'wtf')

Does anyone have _any_ idea why they did this?

Fortunately, I don't use the drivers supplied by Samsung for my printer. They are crap. The foomatic one works just fine, though.

Why did they do it? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19899335)

Probably, when you print using those applications, it starts a portion of the printer driver (userspace portions, maybe?) which somehow required root to run properly. Classic problem which *might* be avoided in most cases.

Re:Let me be the first to say... (1)

TheRaven64 (641858) | more than 7 years ago | (#19899463)

I am just guessing, but I would imagine that the drivers are in the form of a shared library that talks directly to the printer device. In order to talk to the printer device, the process to have permission to write to /dev/whatever, and the easiest way of doing this is to run as root. A more UNIX-y approach would be for the driver to be a filter that read something like PostScript from stdin and wrote printer commands to stdout. This could be run as a completely unprivileged user, with the printer daemon piping printer output through it. There are two reasons I can think of for not using this approach:
  • It's a quick-and-dirty port of a Windows driver, which is not designed for this kind of interaction.
  • The driver needs bi-directional communication with the printer (quite possible if the printer is really dumb and has all of the controller logic in software).
I don't know how something like CUPS handles the bi-directional issue. It would be nice if a printer driver filter could assume that file descriptor 3 was for reading from the printer, and that it should assume it was printing to a file (or via another filter) if this descriptor was not open at launch time, but I don't know if this is implemented.

to be fair (1)

SolusSD (680489) | more than 7 years ago | (#19899095)

no user is going to be able to install such a dangerous "driver" without root access in the first place-- anyone can build a program, intentionally or accidently, that comprimises a system when ran/installed as root.

Re:to be fair (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19899197)

no user is going to be able to install such a dangerous "driver" without root access in the first place-- anyone can build a program, intentionally or accidently, that comprimises a system when ran/installed as root

Yes, but when you install a driver, you normally assume that it's not going to make your system insecure. Why should it? Only a very badly designed driver would deliberately break your system security.

Sometimes drivers do accidentally introduce security problems. The Nvidia drivers for X have done this in the past, for example. In those cases, it's not bad design, it's an oversight of some sort, like a buffer overflow.

But this is not an oversight. A deliberate design decision has been made to break the Linux security model. A very special type of stupidity is involved: one that includes an understanding of the effects of the setuid bit, but excludes an understanding of the security implications.

Samsung should investigate this fully - who knows what other retarded decisions have been made by these guys?

tickle my soul! (0)

Anonymous Coward | more than 7 years ago | (#19899133)

linux has failed yet again. the genie is out of the bottle.

It come out... (4, Informative)

dmayle (200765) | more than 7 years ago | (#19899143)

For those who can't read French, the Ubuntu forum is just a posting of a link to another forum where it was noticed. The posting, along with the interesting source can be found at http://linuxfr.org/forums/15/22562.html [linuxfr.org] The interesting parts are:

wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage

wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc

The script copies the affected application's executable to one with a .bin extension, and replaces it with an suid wrapper script. This is undoable, but god, what a mess!

Okay, I couldn't overcome the lameness filter, go to the source to see for yourselves...

Re:It come out... (1)

squiggleslash (241428) | more than 7 years ago | (#19899283)

Are they really setting a script setuid? Because that doesn't normally work.

Bad... (1)

Jaaay (1124197) | more than 7 years ago | (#19899151)

but this was the first time I heard of Samsung having native Linux drivers so as long as they stop screwing up peoples systems they might get some good publicity out of this ironically though I'm not sure if they deserve it.

Without knowing much than what is in the article.. (1, Flamebait)

Tanuki64 (989726) | more than 7 years ago | (#19899203)

...I would not call this a mere bug. This was an intentional attempt to create a backdoor. Come on, who believes that a very specific driver of all things changes the permissions of a very unspecific program like OpenOffice? Something like that does not happen by accident.

Ok, I might be wrong with my accusation, but in this case I'd say I don't have to prove it, but Samsung has to prove its innocence by making public in details how exactly it came to this 'bug'.

Re:Without knowing much than what is in the articl (1)

krischik (781389) | more than 7 years ago | (#19899299)

No, the problem come from the device driver for scanner devices which are raw scsi devices and therefore have some very restrictive security set.

The hot plug manager should change the user id to the logged in user - but that is not reliable. Personal experience in 50% of cased it stays on root so only root can scan.

And even if the user is changed - have 2nd user logged in and only one can scan.

Martin

Re:Without knowing much than what is in the articl (0)

Anonymous Coward | more than 7 years ago | (#19899405)

No, you are wrong and you are paranoid. Take off the tinfoil hat for a second.

You have a company, that has no experience writing drivers for UNIX operating systems, an operating system whose printing subsystem absolutely blows in all respects, and an office suite that also blows in all respects. The goal is to mix them all together and try to get something that works every time with no intervention from the user.

Guess what, make the program run as root because everything else on the system varies between distributions and you can't rely on a single thing (except the root account working), there's no good way to handle it. It's a dirty dirty dirty hack, but it works. Oh, except that it breaks the profiles of people and OO defaults to /root.

It's totally the wrong solution, but it's definitely not malicious.

Tagged it mate (0)

Anonymous Coward | more than 7 years ago | (#19899341)

Don't know about everyone else, but I tagged this: 'proprietarysoftwaresucks'

A fair surmisal of Samsung's almighty cock-up methinks. And remember: if they'd have freed the source in the first place, none of this would have ever happened.

English Non-Google'd Translation (3, Informative)

VE3OGG (1034632) | more than 7 years ago | (#19899377)

Hello,

After I installed the unified drivers for my Samsung printer/scanner, I had the unwelcome surprise of discovering that OpenOffice now opens as root, and not only that but did not ask for my password!

As a result, all documents I created were saved in the /root/ directory with super user rights. Practical and super secure!

I attempted to re-install .Xauthority without success.

The beast (the problem) is occuring under Ubuntu 7.04 under Gnome.

Thank You.

Bonjour,

Après avoir installé les drivers unifiés de Samsung pour gérer mon imprimante scanner, j'ai eu la très mauvaise surprise de constater que la suite openoffice s'ouvrait en root et ceci sans que me soit demandé le moindre mot de passe !!!

Du coup, les documents que je crée s'enregistrent dans le dossier /root/ avec des droits de super utilisateur. Pratique et super sécure !

A tout hasard j'ai réinitialisé le .Xauthority : aucun succès.

La bête est sous Ubuntu 7.04 et gnome. En attendant vote aide, je cherche et tente de résister au désespoir le plus sombre !

Merci

Time to Get Heavy (4, Insightful)

ajs318 (655362) | more than 7 years ago | (#19899425)

The proprietary driver fiasco has gone on far too long. It's time to stand up and say Enough Already!

Let's all get writing to our elected representatives and demand that hardware manufacturers be obliged, by law, to provide detailed specifications which would enable a sufficiently-competent programmer to write a driver program enabling any of the features of their product to be used on any sufficiently-capable computer.

Failure to do this places the rightful owners of hardware at a disadvantage. They can only use it in conjunction with certain Operating Systems. They are restricted to using it as the manufacturer thought fit. If a driver has a programming flaw, the user's computer can be compromised. If the Operating System is updated in such a way as the driver no longer works, the user is at the mercy of the manufacturer to release a new version of the driver -- or else the hardware is unusable (or at best, usable only through a bodge involving multi-booting: at the boot prompt, type linux to be able to use the Internet, or linuxOLD to be able to print).

It's unfortunate, but this measure really needs to be brought in through legislation, because manufacturers will not do it voluntarily. There are two reasons: (1) they are paranoid of competitors {despite the fact that their competitors are busy reverse-engineering their products in secret while they reverse-engineer the competitors' products} and (2) they habitually lie through their back teeth in their advertising literature about the capabilities of their hardware, and such lies would be exposed with disclosure (e.g. a camera with a 2 megapixel image sensor, spitting out JPEG images interpolated up to 6 megapixels).

Blown out of proportion? (4, Informative)

Jerry (6400) | more than 7 years ago | (#19899535)

Here is a posting to the Ubuntu forum that is SEVEN MONTHS old and refers to postings A YEAR OLD!

Printer drivers need to be installed with world execute permissions so that all users on the system can access the printer. The Samsung hacker's method of doing this, converting them to 4755 bin files and setting the original name as a link to the bin files, is one way of doing that -- IF his "unwrap" function had worked properly. That's the bug. Listed in the posting are files whose permissions need to be modified after the driver is installed.

#1
Old January 18th, 2007
tweedledee tweedledee is online now
Way Too Much Ubuntu

Join Date: Dec 2006
Beans: 252
Ubuntu 7.04 Feisty Fawn User
HOWTO Install Samsung Unified Printer Driver
I had a fair amount of trouble initially getting my Samsung printer installed completely, but I finally have it all done, so here's a mini-guide for those who might benefit.

NOTE: for the last few months, the Samsung website has been utilizing some buggy Flash code that will crash many (all?) Linux browsers that have Flash installed - hopefully they will fix this soon, but they don't seem in any hurry. Either use a secondary browser that does not have the Flash plugin installed (e.g., if you mainly use Firefox, you could use Epiphany (Gnome) or Konqueror (KDE)) or download the drivers via another computer/OS. Alternatively, again if you use Firefox, you can install the "flashblock" extension, usually this prevents the crash (and is useful for many of the other websites that have been appearing recently causing the same behavior, although it's not 100% successful).

EDIT: The newest (as of this writing) driver from Samsung (20070324...) appears to solve some of the mfp/xsane issues, but also appears to missing a couple of library files. See post #23 for details. Also see posts #27-29 for details on ...plc errors and solutions.
Post #35 suggets the 200704.... drivers have resolved this issue, so this may now be irrelevant.

First, a disclaimer: much of the information I used came from this thread: http://www.ubuntuforums.org/showthread.php?t=28774 7 [ubuntuforums.org] . Another good source of information is http://www.linuxprinting.org./ [www.linuxprinting.org] Finally, I did this using the 20060719... and 20070125.... drivers; newer (or older) drivers may require some tweaks. Also, especially if you have a monochrome, non-duplexing, non-multifunction printer, you very well may have success with a generic post-script printer as a driver, without having to install the Samsung drivers. Also note that for my printer, pretty much all functions except duplex control worked even if I skipped steps 2-4 below (i.e., don't install the driver, only the relevant .ppd file) - which also has the advantage of not needing to fix xsane (additional step 2).

This works for my CLP-550; similar steps seem to work for other Samsung printers not supported out-of-the-box with the drivers available in a fresh Ubuntu install. This is NOT a multi-function, multi-functions may require additional steps (but are discussed in other threads, a quick search should bring them up). Posts below from other users have reported sucess (sometimes with a couple of small modifications) with: ML-2510 (# 5, 14, 16, 26), ML-2510/XEU (# 18 ), ML-2571n (# 12), SCX-4200 (# 10), SCX-4521F (# 11), CLP-300 (# 35).

1. Download and untar the driver from Samsung's website; for this example I will assume you untar it to ~.
2. Open a terminal and navigate to ~/cdroot/Linux. I had to "chmod +w install.sh" to give write permissions, but that may be unusual. Edit install.sh as follows:
a: change the first line from "#! /bin/sh" to "#! /bin/bash" (without the quotes)
b (possibly not needed): change the line that includes "guiinstall.bin" (search for it, it's around line 1277) to eliminate the ".bin" (i.e., delete the last 4 characters of that line, nothing else)
3. type "sudo ./install.sh". You should get a graphical installer, but I find occasionally I only get a text-based one. Either way it works the same, and doesn't ask too many questions. Pretty much just accept the defaults.
4. When you reach the point of actually selecting and installing a printer, you can exit instead - this process always fails for me. You can try without risk of major damage, and it apparently works for some printers.
5. Go to (on Gnome) System -> Administration -> Printing. If by chance an SCX-4100 shows up here, you can delete it - sometimes the installer adds it, and it doesn't seem to work (even in the unlikely event that IS your printer). Go to New Printer. If it is a local printer, hopefully it is detected and you can select it. If it is network, select network, change protocol to HP JetDirect, leave the port as 9100, and provide the name or IP (your mileage may vary on this step - in some cases it seems that LPD works better, and IPP/CUPS does not work at all; see post #8 ).
6. Click Forward, then install driver, and navigate to ~/cdroot/Linux/noarch/at_root/share/ppd/CLP-550ps. ppd (replacing the .ppd file as appropriate for your printer). Select it, and finish the install process.
7. I usually have to repeat the install process, but without installing the driver again (it should now show up under Samsung) to actually get the printer to install. You should now be all set.

July 07 Major addition:
You will need to reset the following files and directories to be owned by root instead of by your user (sudo chown root:root ..., where ... is each of the paths below): /usr/ /usr/lib /usr/lib/cups /usr/lib/cups/backend /usr/lib/cups/filter /usr/lib/cups/filter/pscms /usr/lib/cups/filter/rastertosamsungpcl /usr/lib/cups/filter/rastertosamsungspl /usr/lib/cups/filter/rastertosamsungsplc /usr/lib/sane /usr/lib/sane/libsane-smfp.so.1.0.1 /usr/lib/libmfp.so.1.0.1 /usr/local/bin/launch-restore /usr/share/ppd/custom/CLP-550ps.ppd (you will have a different ppd file here for a different printer, use "ls -l /usr/shar/eppd/custom" to see the corret file (the one owned by you instead of root)) /etc/ /etc/sane.d /etc/sane.d/smfp.conf

Additional notes:
1. If you wish to change the global default paper size from A4 to Letter, edit (as sudo) /etc/papersize to say "letter" instead of "a4".

2. If you do not have a multifunction printer, but do have a scanner, you'll find xsane now executes as root. (This is also true if you have a multifunction printer, but see below instead of this step.) To fix this, since you don't want to run xsane as root, do the following:
a: in a terminal, type "sudo chmod -s /usr/bin/xsane"
b: sudo edit /etc/sane.d/dll.conf, and comment out (add a "#") in front of the line that says "smfp" (probably the last line).
If you only do (a) and not (b), xsane will crash.

Note that those with multifunction printers: xsane (and the smfp protocol Samsung adds) appears to be a problem. The above solution MIGHT work for you, I don't know. You can also check these sites for possible solutions:
http://jacobo.tarrio.org/Samsung_SCX-4200_on_Debia n [tarrio.org]
http://www.elijahlofgren.com/ubuntu/#scx-4521f [elijahlofgren.com]

Good luck, and let me know if you have success and/or failure, and I'll try to modify accordingly.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?