Sloppy File Permissions Make Red Star OS Vulnerable 105
An anonymous reader writes: Red Star OS Desktop 3.0, the official Linux distro of North Korea, which recently found its way onto torrents and various download sites in form of an ISO image, is interesting for a number of reasons, including its attempt to look like commercial operating systems (currently OS X, earlier versions mimicked the Windows GUI). Hackers are also poking Red Star for security vulnerabilities. An pseudonymous researcher noted in a post to the Open Source Software Security (oss-sec) mailing list, that the OS has one significant security hole: Red Star 3.0 ships with a world-writeable udev rule file /etc/udev/rules.d/85-hplj10xx.rules (originally designed for HP LaserJet 1000 series printers) which can be modified to include RUN+= arguments executing arbitrary commands as root by Udev. In the post he also mentions how the older Red Star 2.0 shipped with another schoolboy mistake: /etc/rc.d/rc.sysinit was world-writeable.
Good ol' 777 (Score:5, Insightful)
Whenever I see devs take the stupid shortcut of "chmod 777" I wonder what is the brain drain for these "professionals" that they can't figure out how to enable make use of "chown root:admin" and then "chmod g+x", or whatever's the appropriate level of permissions for the task at hand.
How can developers be so lazy and so security naive? It's like using signal lights when driving. Just do it because it makes for good habits.
Re:Good ol' 777 (Score:4, Insightful)
Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /
Re:Good ol' 777 (Score:5, Informative)
Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /
Actually, both the browser and the Apache log will tell you it's a permissions issue. Go to the root of /home and either add the Apache user to the group that has access to "/home/me/www/path/to/index.html" or change the group access to Apache's user.
Once the group is correct, change the permissions to g+r if necessary.
Taking the 15 seconds to properly set permissions when you know the issue is a permissions issue (otherwise why would chmod 777 fix the issue) really is just too easy not to do.
Also, use your signal lights!
Re:Good ol' 777 (Score:5, Insightful)
What I mean is that cat /home/me/www/path/to/index.html will say Permission denied but it won't say Permission denied reading /home/me
Re: Good ol' 777 (Score:1, Insightful)
... and changing directory a few times to investigate takes all of a few seconds. If you can't be bothered to spend this time on doing it properly, please step down and let someone else have your job.
Re: Good ol' 777 (Score:5, Insightful)
Good thing you don't design user interfaces.
On the other hand, perhaps it was you who designed the Windows 8 metro UI? It would explain a lot...
Re: (Score:1)
Re:Good ol' 777 (Score:5, Insightful)
Because that would give information to a potential attacker! You don't make security problems easy to diagnose!
Security through obscurity, eh?
No thanks. Either the system is secure (even against an expert hacker), and therefore no security is lost by providing informative error messages.... or the system is insecure, in which case no security is gained by making the error messages hard to understand.
Deliberately obfuscating error messages only makes the system harder to use by its legitimate users (and therefore more likely to be bypassed in ways that compromise security) while doing nothing to keep hackers out.
Re: (Score:2)
I don't know, seems to me obscurity is quite often a good first line of security - if nothing else it deflects 90% of amateurs, a few of whom might otherwise have gotten lucky and stumbled across a vulnerability. Because the one thing that we should all know with 100% confidence is that our security is not 100% effective. Ever. No matter how good the craftsmanship and how many eyes have failed to find flaws in it, you can be confident that there is a flaw somewhere. Nothing is perfect.
On the other hand t
Re: (Score:2)
Do you post your banking details here? Your uname and pass for the work servers?
Of course you don't, because you're not stupid. That's why you don't leak unnecessary details in diagnostic messages even if they might help the right person.
Re: (Score:2)
Re:Good ol' 777 (Score:4, Insightful)
Better than being one of those assholes that likes to call people an idiot.
There is always an aspect of obscurity to secrecy. In OPs example, the exact structure of the underlying filesystem. In mine, the user and pass. In both cases the mechanism is known. Many server admins make an effort not to reveal too much of the underlying structure to the outside and wouldn't appreciate the http server revealing all of it to the world.
Re: (Score:2)
Better than being one of those assholes that likes to call people an idiot.
Pot, meet kettle.
Re: (Score:2)
Methinks your irony detector is busted.
Re: (Score:2)
Do you by any chance mean sarcasm? Because I've got a hard time identifying any in your post.
Re: (Score:2)
So it caught irony but missed the deliberate nature so you became that awkward guy who explains the joke everyone already got?
Re: (Score:2)
Furthermore, where did you see me explaining your "joke"?
Applying Ockham's razor, I'm much more inclined to assume that you just became the guy who posts something dumb and then tries to backpedal by claiming it has been a "joke", which is pretty pathetic.
Re: (Score:2)
You seem awefully upset over a very slightly funny joke. Are you off your meds?
Re: (Score:2)
Re: (Score:2)
change the group access to Apache's [group](sic). Once the group is correct, change the permissions to g+r if necessary.
This is one of the reasons I would like nested groups for POSIX, but it will never happen because people think it's too Microsoftish.
Re: (Score:2)
Re: (Score:2)
Do you really have to be "really good" to do that. Standard method for me debugging issues is to tail -f both the access and error logs while making requests. Factor in wireshark with the server's private key loaded (if over https) if I'm really struggling.
Re: (Score:1)
Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /
No! No! No! you are doing it wrong you should have been using the command "rm -rf /" . The Linux/Unix professionals will thank you for this. :)
Re: (Score:2)
Yes I agree thats way more secure.
Re: (Score:1)
It's those damned humans. Wipe 'em out. - Joe Cockroach
Re: (Score:3)
How can developers be so lazy and so security naive?
security commonly falls under the "not my problem" area while "it MUST work" is always the priority. is that really so hard to comprehend?
Re: (Score:2)
North vs. South. Competing with Samsung? (Score:2)
http://forum.xda-developers.co... [xda-developers.com]
Re: (Score:2)
I hope not.
Re: (Score:2)
Re:...for a number of reasons (Score:4, Funny)
I hear a CD-R and a balloon were used.
Re: (Score:1)
Devil got promoted to 777. His half brother is hoping to get a 333 rating soon.
Re: (Score:2)
333? That would be this guy [wikipedia.org].
Re: (Score:2)
yet 666 isn't the sign go the devil.
it is 616. and even that may be wrong.
Master plan (Score:5, Funny)
Awesome! At last a way to hack North Korea and steal all their... valuable things?
Re: (Score:1)
Chimney dust?
Dirt?
State-supplied radio?
Precious balloon scraps from media deliveries from South Korea?
Re: (Score:3)
Re: (Score:2)
We can't shut them down like that. It's one of the two most powerful and wealthy Koreas in the world!
Re: Master plan (Score:3, Funny)
Re: (Score:1)
but the old HP take 3rd party ink / toner newer printers have all kinds of DRM to lock out 3rd party stuff and refills.
NK can't pay the cost of new INK or toner.
Re: (Score:2)
Too late, Kim Jong Un ordered the general who bought the HP printer to be executed already, and ordered his brother to buy a Canon inkjet to replace it. The brother was also executed for bring imperialist Japanese goods into Korea, but at least they have a new national printer now. Both the PCs are now being studied by North Koreas elite hacking squad to see if the files can be removed without recompiling the whole system from scratch, but the results are not promising so we may see more outage on the North Korean netblock again this week.
"PC ROAD RETTER? What dis fuckin' PC ROAD RETTER? You die today, Minister!"
Re: (Score:2)
Re: (Score:1)
I would hope the NSA makes full use of things like this to spy on North Korea, because that's their _actual_ job.
I thought their job was to hack into Sony, steal a bunch of data, post it on the internet, and then blame North Korea for it?
Wait... you're trying to tell me the idiots that can't even secure their own OS with basic file permissions did it? Seriously?
Re: (Score:2)
I wonder what valuable things NK have.
not great, but probably not very important either (Score:2)
This kind of exploit, a local privilege escalation exploit, used to be very significant, but is significant in a declining number of cases, as old-style Unix multiuser systems are a smaller and smaller proportion of systems. In all likelihood anyone with a user account on a North Korean computer is pretty heavily monitored, and ensuring nobody violates policy can be enforced by "other means" than Unix permissions.
Re: (Score:3, Informative)
This kind of exploit, a local privilege escalation exploit, used to be very significant, but is significant in a declining number of cases, as old-style Unix multiuser systems are a smaller and smaller proportion of systems.
An attacker who has exploited a Firefox vulnerability (there are still many found and patched each month) is running as a *local user* on your machine. Trying to explain these types of vulnerabilities away is disingenuous, if not downright complacent.
Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.
While this is clearly a mistake by someone packaging the distro, they were certainly not helped by a system where you cannot adequately express permissions. ACLs are avai
Re:not great, but probably not very important eith (Score:4, Insightful)
Some alternatives sound nice but fail horrificly when the come in contact with people, especially the ones that let any people within a group grant access to others with zero oversight. Within a short period of time with such a "everyone can grant or deny access" scheme you end up with almost everything wide open and occasional calls when the paranoid have locked themselves and everyone else out of something and forgotten the password - and it's typically something business critical (as in people need to get to it so they can do their job) but not actually sensitive with only a few people normally allowed to get to it. So the superuser is locked out - what do you do? Well such things are normally not well thought out in any way at all so you crack in with ease, especially since you have full access to the hardware, which kind of makes the whole idea of having permissions that lock out the superuser look pretty silly doesn't it?
So while user/group/all looks simplistic and kind of sucks in some cases there's nothing else that's really shown itself to be good enough to gain traction apart from where mandated by a vendor.
Saw that - first day at a new site and the developer that had been looking after things rebooted both the primary domain server and secondary domain server at the same time in the middle of a working day, for some trivial fix that didn't need to be done immediately and probably didn't even need a reboot. Of course they were also serving most of the files and all the printing as well. It's a mindset not a skillset. He knew what would happen but there was a fix for something so it had to be done NOW so he could get it out of the way without having to worry about it later. Consequences didn't matter, after all the new guy was there to take all the angry phone calls.
Re: (Score:2)
Some alternatives sound nice but fail horrificly when the come in contact with people, especially the ones that let any people within a group grant access to others with zero oversight.
An access control system where everyone (with access?) can grant access to others sounds bad. However, I don't think that's the only alternative to me-us-everyone rwx. In fact, I don't know that such a system that exists at all. You usually needs to be the owner of a resource (or in the "owners" group) to grant privileges in a DAC system. Some systems also allows owners to grant specific rights on the security attributes to non-owners - i.e. the right to grant access.
Within a short period of time with such a "everyone can grant or deny access" scheme you end up with almost everything wide open
How about a system where only owners or
Re: (Score:2)
There's plenty of goo
Re: (Score:1)
Re: (Score:2)
AppArmor is a good start toward this. It can only be configured by root though.
Re: (Score:2)
So who should own the text file? Vi? cat? grep? emacs? gcc?
Re: (Score:1)
So who should own the text file? Vi? cat? grep? emacs? gcc?
Those are applications which have nothing to do with ownership although the user must have permission to use them. It is the user who should own the file, text or otherwise.
The Unix permissions of "user", "group" and "other" are still valid even today. If you want a more fine grained permission solution then look no further than Access Control Lists which have been in use by Unix since the late 1980's and Linux since the early 1990's.
The big problem with ACL's is not the concept it is when users expect th
Re: (Score:2)
I was asking someone who believes applications should own files and that access control should be by application.
I find Unix permissions + ACLs to be adequate. Users tend not to understand them, so I frequently use default ACLs on directories.
Re: (Score:2)
Re:not great, but probably not very important eith (Score:4, Insightful)
The old POSIX compliant user-group-others model does have some limitations. The non-root user can't arbitrarily add another individual user to have access or deny access, and only root users or site admins have access to create new groups. In the older systems, such as in UNIX's /etc/group and /etc/passwd, groups cannot contain other groups directly and there's a maximum line length on the number of characters in the "/etc/group" line. This gets quite awkward if you have hundreds of members of a group, or want to be able to say "all members of this group, *except* this one account, should have access to this". It means you have to add a new group and reset all files to owned and managed by that group: it can become painful to administer.
When compared to the obscure rat's nest of ownership in NTFS, however, I can see why the old POSIX ACL's have remained in use. And let's make not be confused, in the Windows world it is _extremely_ common to leave file ownership profoundly broken.
Re: (Score:2)
The owner of a file doesn't tend to matter much in the Windows world, only who has Full Control rights to it
Re: (Score:2)
> Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.
It's extremely simple, and extremely fast to handle computationally. Those "bit-savings" come out of every file system access, including pipes and symlinks and block and character devices. When a developer "meets the limit of what can be expressed with a single-group me-us-everybody", it's usually a sign that they're doing something fundamentally wrong and trying to invent special groups of their own on the fly.
Re: (Score:2)
In what way are ACLs a kludge? There are official tools to support them and proper system calls to manipulate them.
The biggest shortcommings are GNU tar and cpio not supporting them properly.
one question... (Score:4)
Is this OS for the NK government use, or for use by the people in NK.??
If it's for the people I'm not surprised they made it easy to gain access...
Re: (Score:3)
Re: (Score:2)
In North Korea it is illegal to own a cell phone. My guess is it is against the law to use the internet too. People who do are friends of Kim or approved by the department of guidance who actually run NK (Not Kim surprisingly). Mostly those authorized to view press or are in the military or work for the government.
Their whole country is a private network where the mothership uses a proxy to monitor you just like the office.
Re: (Score:2)
For the recent articles... (Score:1)
I presume there will be few job openings for adventurous Linux gurus @ NK atm.
Now that the world is "interested", every time these things come to public, the person responsible for the clitch, will be without his/her head.
Re: (Score:1)
Logo? http://img.rt.com/files/news/n... [rt.com]
Idiots... (Score:1)
Re: (Score:2)
Don't point out errors in any software then, since someone you might not like could benefit from fixing them. A mistake like this is a lesson for everyone.
And still (Score:3)
And still the US government would have us believe that NK has a cadre of "elite hackers" responsible for Sony instead of the much more plausible and believable "inside job" by disgruntled employees -- especially as it would have taken months to download the terabytes of data that they claim was stolen.
Re: (Score:3)
And without any of the snoops who monitor the NK traffic streams noticing for all those months to boot.
Re: (Score:2)
Hey They like Apple! (Score:1)
Clearly they're cultured people, despite lacking basic computer skills and intelligence in general.
I was wrong about them!
.
.
As the original author of mac menubar for GTK/GNOME (it's gnome right? not KDE?), I must say I feel really good about that. Long Live the Kim!
I Would Not Want to Be an NK Dev Just Now. (Score:2, Interesting)
Someone found and posted a security home in the official North Korean OS? I suspect that one of the OS's developers (and his family) is about the receive a free lifetime stay at Klub Kim.
Under the order of Kim (Score:1)
You've just managed to kill a few high profile devs in North Korea.
Good work gentlemen.
xe ti dongfeng 4 chân 19t5 (Score:1)