Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Linux

Sloppy File Permissions Make Red Star OS Vulnerable 105

An anonymous reader writes: Red Star OS Desktop 3.0, the official Linux distro of North Korea, which recently found its way onto torrents and various download sites in form of an ISO image, is interesting for a number of reasons, including its attempt to look like commercial operating systems (currently OS X, earlier versions mimicked the Windows GUI). Hackers are also poking Red Star for security vulnerabilities. An pseudonymous researcher noted in a post to the Open Source Software Security (oss-sec) mailing list, that the OS has one significant security hole: Red Star 3.0 ships with a world-writeable udev rule file /etc/udev/rules.d/85-hplj10xx.rules (originally designed for HP LaserJet 1000 series printers) which can be modified to include RUN+= arguments executing arbitrary commands as root by Udev. In the post he also mentions how the older Red Star 2.0 shipped with another schoolboy mistake: /etc/rc.d/rc.sysinit was world-writeable.
This discussion has been archived. No new comments can be posted.

Sloppy File Permissions Make Red Star OS Vulnerable

Comments Filter:
  • Good ol' 777 (Score:5, Insightful)

    by MisterSquid ( 231834 ) on Sunday January 11, 2015 @02:31AM (#48785563)

    Whenever I see devs take the stupid shortcut of "chmod 777" I wonder what is the brain drain for these "professionals" that they can't figure out how to enable make use of "chown root:admin" and then "chmod g+x", or whatever's the appropriate level of permissions for the task at hand.

    How can developers be so lazy and so security naive? It's like using signal lights when driving. Just do it because it makes for good habits.

    • Re:Good ol' 777 (Score:4, Insightful)

      by MichaelSmith ( 789609 ) on Sunday January 11, 2015 @02:47AM (#48785629) Homepage Journal

      Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /

      • Re:Good ol' 777 (Score:5, Informative)

        by MisterSquid ( 231834 ) on Sunday January 11, 2015 @03:05AM (#48785683)

        Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /

        Actually, both the browser and the Apache log will tell you it's a permissions issue. Go to the root of /home and either add the Apache user to the group that has access to "/home/me/www/path/to/index.html" or change the group access to Apache's user.

        Once the group is correct, change the permissions to g+r if necessary.

        Taking the 15 seconds to properly set permissions when you know the issue is a permissions issue (otherwise why would chmod 777 fix the issue) really is just too easy not to do.

        Also, use your signal lights!

        • Re:Good ol' 777 (Score:5, Insightful)

          by MichaelSmith ( 789609 ) on Sunday January 11, 2015 @03:17AM (#48785725) Homepage Journal

          What I mean is that cat /home/me/www/path/to/index.html will say Permission denied but it won't say Permission denied reading /home/me

          • Re: Good ol' 777 (Score:1, Insightful)

            by Anonymous Coward

            ... and changing directory a few times to investigate takes all of a few seconds. If you can't be bothered to spend this time on doing it properly, please step down and let someone else have your job.

          • Because that would give information to a potential attacker! You don't make security problems easy to diagnose! Just give the user enough information to know that permission was denied, and that's quite enough already. We don't need to help the crackers do their job.
            • Re:Good ol' 777 (Score:5, Insightful)

              by Jeremi ( 14640 ) on Sunday January 11, 2015 @01:20PM (#48787963) Homepage

              Because that would give information to a potential attacker! You don't make security problems easy to diagnose!

              Security through obscurity, eh?

              No thanks. Either the system is secure (even against an expert hacker), and therefore no security is lost by providing informative error messages.... or the system is insecure, in which case no security is gained by making the error messages hard to understand.

              Deliberately obfuscating error messages only makes the system harder to use by its legitimate users (and therefore more likely to be bypassed in ways that compromise security) while doing nothing to keep hackers out.

              • I don't know, seems to me obscurity is quite often a good first line of security - if nothing else it deflects 90% of amateurs, a few of whom might otherwise have gotten lucky and stumbled across a vulnerability. Because the one thing that we should all know with 100% confidence is that our security is not 100% effective. Ever. No matter how good the craftsmanship and how many eyes have failed to find flaws in it, you can be confident that there is a flaw somewhere. Nothing is perfect.

                On the other hand t

              • by sjames ( 1099 )

                Do you post your banking details here? Your uname and pass for the work servers?

                Of course you don't, because you're not stupid. That's why you don't leak unnecessary details in diagnostic messages even if they might help the right person.

                • Keeping the keys secret is not obscurity. You're either being intentionally obtuse or you're an idiot.
                  • Re:Good ol' 777 (Score:4, Insightful)

                    by sjames ( 1099 ) on Sunday January 11, 2015 @11:13PM (#48790713) Homepage Journal

                    Better than being one of those assholes that likes to call people an idiot.

                    There is always an aspect of obscurity to secrecy. In OPs example, the exact structure of the underlying filesystem. In mine, the user and pass. In both cases the mechanism is known. Many server admins make an effort not to reveal too much of the underlying structure to the outside and wouldn't appreciate the http server revealing all of it to the world.

                    • by fisted ( 2295862 )

                      Better than being one of those assholes that likes to call people an idiot.

                      Pot, meet kettle.

                    • by sjames ( 1099 )

                      Methinks your irony detector is busted.

                    • by fisted ( 2295862 )
                      The irony of your statement is perfectly visible, that was what made me reply in the first place.
                      Do you by any chance mean sarcasm? Because I've got a hard time identifying any in your post.
                    • by sjames ( 1099 )

                      So it caught irony but missed the deliberate nature so you became that awkward guy who explains the joke everyone already got?

                    • by fisted ( 2295862 )
                      Yeah. Obviously "everyone" got your "deliberate" "joke", which is probably the reason for all of the zero "Funny"-mods you got.
                      Furthermore, where did you see me explaining your "joke"?

                      Applying Ockham's razor, I'm much more inclined to assume that you just became the guy who posts something dumb and then tries to backpedal by claiming it has been a "joke", which is pretty pathetic.
                    • by sjames ( 1099 )

                      You seem awefully upset over a very slightly funny joke. Are you off your meds?

                    • by fisted ( 2295862 )
                      You seem awfully ad-hominem for someone who pretended to have a legitimate point. I guess that answers that, thanks for the demonstration.
        • change the group access to Apache's [group](sic). Once the group is correct, change the permissions to g+r if necessary.

          This is one of the reasons I would like nested groups for POSIX, but it will never happen because people think it's too Microsoftish.

      • If you're really good you watch the httpd.log files and see where it didn't have rights to get to the directory. Then set the rights accordingly.
        • Do you really have to be "really good" to do that. Standard method for me debugging issues is to tail -f both the access and error logs while making requests. Factor in wireshark with the server's private key loaded (if over https) if I'm really struggling.

      • by donaldm ( 919619 )

        Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /

        No! No! No! you are doing it wrong you should have been using the command "rm -rf /" . The Linux/Unix professionals will thank you for this. :)

    • by Tablizer ( 95088 )

      It's those damned humans. Wipe 'em out. - Joe Cockroach

    • How can developers be so lazy and so security naive?

      security commonly falls under the "not my problem" area while "it MUST work" is always the priority. is that really so hard to comprehend?

    • by Curtman ( 556920 ) *
      It's possible that someone did "chmod 777", but more likely it was the result of someone copying/untaring a file without considering their umask, or using 'cp -a', etc..
  • Comment removed based on user account deletion
  • Master plan (Score:5, Funny)

    by lucm ( 889690 ) on Sunday January 11, 2015 @02:45AM (#48785615)

    Awesome! At last a way to hack North Korea and steal all their... valuable things?

    • by aliquis ( 678370 )

      Chimney dust?
      Dirt?
      State-supplied radio?
      Precious balloon scraps from media deliveries from South Korea?

    • Or just to shut them down. I mean I'm fairly certain we in the U.S. have our own cyberwarfare units in the U.S. - that might also be the answer to who leaked the ISO of Red Star 3.0
      • by lucm ( 889690 )

        We can't shut them down like that. It's one of the two most powerful and wealthy Koreas in the world!

    • Too late, Kim Jong Un ordered the general who bought the HP printer to be executed already, and ordered his brother to buy a Canon inkjet to replace it. The brother was also executed for bring imperialist Japanese goods into Korea, but at least they have a new national printer now. Both the PCs are now being studied by North Koreas elite hacking squad to see if the files can be removed without recompiling the whole system from scratch, but the results are not promising so we may see more outage on the Nort
      • by grcumb ( 781340 )

        Too late, Kim Jong Un ordered the general who bought the HP printer to be executed already, and ordered his brother to buy a Canon inkjet to replace it. The brother was also executed for bring imperialist Japanese goods into Korea, but at least they have a new national printer now. Both the PCs are now being studied by North Koreas elite hacking squad to see if the files can be removed without recompiling the whole system from scratch, but the results are not promising so we may see more outage on the North Korean netblock again this week.

        "PC ROAD RETTER? What dis fuckin' PC ROAD RETTER? You die today, Minister!"

    • I would hope the NSA makes full use of things like this to spy on North Korea, because that's their _actual_ job.
      • by Anonymous Coward

        I would hope the NSA makes full use of things like this to spy on North Korea, because that's their _actual_ job.

        I thought their job was to hack into Sony, steal a bunch of data, post it on the internet, and then blame North Korea for it?

        Wait... you're trying to tell me the idiots that can't even secure their own OS with basic file permissions did it? Seriously?

    • by antdude ( 79039 )

      I wonder what valuable things NK have.

  • This kind of exploit, a local privilege escalation exploit, used to be very significant, but is significant in a declining number of cases, as old-style Unix multiuser systems are a smaller and smaller proportion of systems. In all likelihood anyone with a user account on a North Korean computer is pretty heavily monitored, and ensuring nobody violates policy can be enforced by "other means" than Unix permissions.

    • Re: (Score:3, Informative)

      by benjymouse ( 756774 )

      This kind of exploit, a local privilege escalation exploit, used to be very significant, but is significant in a declining number of cases, as old-style Unix multiuser systems are a smaller and smaller proportion of systems.

      An attacker who has exploited a Firefox vulnerability (there are still many found and patched each month) is running as a *local user* on your machine. Trying to explain these types of vulnerabilities away is disingenuous, if not downright complacent.

      Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.

      While this is clearly a mistake by someone packaging the distro, they were certainly not helped by a system where you cannot adequately express permissions. ACLs are avai

      • by dbIII ( 701233 ) on Sunday January 11, 2015 @07:00AM (#48786277)

        Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.

        Some alternatives sound nice but fail horrificly when the come in contact with people, especially the ones that let any people within a group grant access to others with zero oversight. Within a short period of time with such a "everyone can grant or deny access" scheme you end up with almost everything wide open and occasional calls when the paranoid have locked themselves and everyone else out of something and forgotten the password - and it's typically something business critical (as in people need to get to it so they can do their job) but not actually sensitive with only a few people normally allowed to get to it. So the superuser is locked out - what do you do? Well such things are normally not well thought out in any way at all so you crack in with ease, especially since you have full access to the hardware, which kind of makes the whole idea of having permissions that lock out the superuser look pretty silly doesn't it?

        So while user/group/all looks simplistic and kind of sucks in some cases there's nothing else that's really shown itself to be good enough to gain traction apart from where mandated by a vendor.

        When a developer meets the limit of what can be expressed with a single-group me-us-everybody, he will often look for the path of least resistance

        Saw that - first day at a new site and the developer that had been looking after things rebooted both the primary domain server and secondary domain server at the same time in the middle of a working day, for some trivial fix that didn't need to be done immediately and probably didn't even need a reboot. Of course they were also serving most of the files and all the printing as well. It's a mindset not a skillset. He knew what would happen but there was a fix for something so it had to be done NOW so he could get it out of the way without having to worry about it later. Consequences didn't matter, after all the new guy was there to take all the angry phone calls.

        • Some alternatives sound nice but fail horrificly when the come in contact with people, especially the ones that let any people within a group grant access to others with zero oversight.

          An access control system where everyone (with access?) can grant access to others sounds bad. However, I don't think that's the only alternative to me-us-everyone rwx. In fact, I don't know that such a system that exists at all. You usually needs to be the owner of a resource (or in the "owners" group) to grant privileges in a DAC system. Some systems also allows owners to grant specific rights on the security attributes to non-owners - i.e. the right to grant access.

          Within a short period of time with such a "everyone can grant or deny access" scheme you end up with almost everything wide open

          How about a system where only owners or

          • by dbIII ( 701233 )
            Which is why I wrote that many such things have fallen over when in contact with people - who tend to sort things in groups and have differing ideas of who should be in the groups. Conflicts develop of who should have access so it devolves into free for all for most and individual permissions for some. Maybe the military have something that works, but the sort of things that have been inflicted on office environments have not been enough of a success to demonstrate superiority as yet.
            There's plenty of goo
        • by dog77 ( 1005249 )
          Application level security would be an improvement. An application should be restricted to its own files and directories unless user gives explicit permission.
          • AppArmor is a good start toward this. It can only be configured by root though.

          • by sjames ( 1099 )

            So who should own the text file? Vi? cat? grep? emacs? gcc?

            • by donaldm ( 919619 )

              So who should own the text file? Vi? cat? grep? emacs? gcc?

              Those are applications which have nothing to do with ownership although the user must have permission to use them. It is the user who should own the file, text or otherwise.

              The Unix permissions of "user", "group" and "other" are still valid even today. If you want a more fine grained permission solution then look no further than Access Control Lists which have been in use by Unix since the late 1980's and Linux since the early 1990's.

              The big problem with ACL's is not the concept it is when users expect th

              • by sjames ( 1099 )

                I was asking someone who believes applications should own files and that access control should be by application.

                I find Unix permissions + ACLs to be adequate. Users tend not to understand them, so I frequently use default ACLs on directories.

      • If you understood the interplay between the flat out UGO rights and group membership maybe, just maybe you wouldn't take the opportunity you did to bash Unix/Linux file permissions.
        • by Antique Geekmeister ( 740220 ) on Sunday January 11, 2015 @10:39AM (#48786997)

          The old POSIX compliant user-group-others model does have some limitations. The non-root user can't arbitrarily add another individual user to have access or deny access, and only root users or site admins have access to create new groups. In the older systems, such as in UNIX's /etc/group and /etc/passwd, groups cannot contain other groups directly and there's a maximum line length on the number of characters in the "/etc/group" line. This gets quite awkward if you have hundreds of members of a group, or want to be able to say "all members of this group, *except* this one account, should have access to this". It means you have to add a new group and reset all files to owned and managed by that group: it can become painful to administer.

          When compared to the obscure rat's nest of ownership in NTFS, however, I can see why the old POSIX ACL's have remained in use. And let's make not be confused, in the Windows world it is _extremely_ common to leave file ownership profoundly broken.

          • by Dogers ( 446369 )

            The owner of a file doesn't tend to matter much in the Windows world, only who has Full Control rights to it

      • > Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.

        It's extremely simple, and extremely fast to handle computationally. Those "bit-savings" come out of every file system access, including pipes and symlinks and block and character devices. When a developer "meets the limit of what can be expressed with a single-group me-us-everybody", it's usually a sign that they're doing something fundamentally wrong and trying to invent special groups of their own on the fly.

      • by sjames ( 1099 )

        In what way are ACLs a kludge? There are official tools to support them and proper system calls to manipulate them.

        The biggest shortcommings are GNU tar and cpio not supporting them properly.

  • by s0litaire ( 1205168 ) on Sunday January 11, 2015 @03:19AM (#48785731)

    Is this OS for the NK government use, or for use by the people in NK.??

    If it's for the people I'm not surprised they made it easy to gain access...

    • Comment removed based on user account deletion
    • In North Korea it is illegal to own a cell phone. My guess is it is against the law to use the internet too. People who do are friends of Kim or approved by the department of guidance who actually run NK (Not Kim surprisingly). Mostly those authorized to view press or are in the military or work for the government.

      Their whole country is a private network where the mothership uses a proxy to monitor you just like the office.

    • So are we now down to discussing national Linux distros used by countries of interest, like North Korea?
  • I presume there will be few job openings for adventurous Linux gurus @ NK atm.
    Now that the world is "interested", every time these things come to public, the person responsible for the clitch, will be without his/her head.

  • I'm talking about "Hacker Fantastic", Ars, and /. Yeah, let's help NK as much as we can by fixing their shit for them.
    • by bedouin ( 248624 )

      Don't point out errors in any software then, since someone you might not like could benefit from fixing them. A mistake like this is a lesson for everyone.

  • by msobkow ( 48369 ) on Sunday January 11, 2015 @04:23AM (#48785899) Homepage Journal

    And still the US government would have us believe that NK has a cadre of "elite hackers" responsible for Sony instead of the much more plausible and believable "inside job" by disgruntled employees -- especially as it would have taken months to download the terabytes of data that they claim was stolen.

    • by msobkow ( 48369 )

      And without any of the snoops who monitor the NK traffic streams noticing for all those months to boot.

  • Clearly they're cultured people, despite lacking basic computer skills and intelligence in general.

    I was wrong about them!

    .

    .

    As the original author of mac menubar for GTK/GNOME (it's gnome right? not KDE?), I must say I feel really good about that. Long Live the Kim!

  • Someone found and posted a security home in the official North Korean OS? I suspect that one of the OS's developers (and his family) is about the receive a free lifetime stay at Klub Kim.

  • by Anonymous Coward

    You've just managed to kill a few high profile devs in North Korea.

    Good work gentlemen.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...