Torvalds Calls OpenSUSE Security 'Too Intrusive'

jfruh writes "The balance between security and ease of use is always a tricky one to strike, and Linux distros tend to err on the side of caution. But no less a luminary than Linus Torvalds thinks openSUSE has gone too far. When his kid needed to call from school for the root password just so he could add a printer to a laptop, that's when Linus decided things had gone off the rails."

Only root?

[busyqth]

Bah! Back in the day we recompiled the kernel to add a printer!
AND WE LIKED IT THAT WAY!!

Re:Only root?

Wow, newfangled drivers in the kernel... Back in the day, we had to manually pull the bits out of the computer, put them in a bucket, and transport them to the printer manually!

Re:Only root?

Back in the day? People using FreeBSD are still doing that shit. And yet they'll claim that their OS is superior to any Linux distribution in any way. Except, you know, in the case of usability for a desktop, in which case it's a fucking catastrophe.

Re:Only root?

[Toe,+The]

You mean sneakernet? That's nothing.
Back in the day, we had to manually place dots onto the paper using a handheld carbon-marking device.
On the plus side, it did have an undo function built right into the final product.

Re:Only root?

[fuzzyfuzzyfungus]

Only if your printer sucked. If you had a real printer you could just cat the postscript to whatever device it was connected to...

Re:Only root?

I love these responses. "It's not broken, incapable software, you just have to buy a different printer. Noob."

Re:Only root?

[busyqth]

Back in the day postscript didn't exist.
"lp0" stands for "Line Printer 0" -- you know, 132 columns, tractor feed, green-and-white-striped paper, massive clattering mechanical wheels spinning.
Now GET OFF MY LAWN!

Re:Only root?

Only if your printer sucked. If you had a real printer you could just cat the postscript to whatever device it was connected to...

And that's why the year of Linux on the desktop will always be next year.

Re:Only root?

[jd]

Papyrus? Pah! Youngsters! Back in my day, we had to find a granite boulder to carve the letters into. With a herring!

Re:Only root?

[busyqth]

That only works with frozen herring.

Re:Only root?

[Chrisq]

Papyrus, luxury.

In my day we had to invent writing, hew a stone from the quarry, and wear the letters into the tablet by rubbing it with our noses. And if we handed it in late you'd have to write it out a hundred times before the morning. It was so bad we would still be working on our first grade when we died of old age. They thing is, tell that to the kids to day and do they believe you?

No!

Re:Only root?

[ChrisMaple]

Postscript is an Apple conspiracy, designed to wear out electrons by sending too many of them through the printer cable.

ASCII only!

Re:Only root?

[jameskojiro]

Pheromone Trails, are you kidding me, back in my day we used to have to encode chemical messages in our DNA over many generations before we could pass them on to our offspring.

Re:Only root?

[busyqth]

I still do that.

Re:Only root?

That's because there was this thing called a "line printer device driver" that was... wait for it... compiled into the kernel.

Re:Only root?

Postscript is an Apple conspiracy, designed to wear out electrons by sending too many of them through the printer cable.

That's why you need a Monster Cable. The larger conductors and lubricated sheathing minimize wear. This both maximizes cable lifetime and ensures that the bits better retain their shape as they transit the cable.

Re:Only root?

[Bengie]

More like "you bought the wrong one, so suck-it-up and learn from your mistakes"

Re:Only root?

[Grishnakh]

There's some different issues here. Postscript (or PDF) printers are definitely superior to others, for good reason: they accept documents in a standardized format, and don't require special drivers. The only "drivers" needed are extremely simple, mainly to tell CUPS how many trays your printer has, and let you select the input and output trays, select duplexing, stuff like that.

Drivers that don't accept Postscript (or at least some other de facto standard like HP's PCL) have to have special drivers to convert your PS/PDF file into something the printer can understand, which isn't just a document description language, but rather something more like machine code to tell the printer exactly how to move the print head around and spray ink--these cheapo printers don't have much in the way of processing power, and rely on the host to do the processing for it. This means you need a special driver (which doesn't necessarily mean kernel driver, usually these printer drivers just run in userspace), which of course has to be supplied by the manufacturer since they're the only ones who really know how the printer works inside. Everyone even semi-knowledgable about computers should know by now that relying on mfgrs to supply drivers for Linux is generally a losing proposition, so these el cheapo printers should be avoided at all costs.

Setting up Linux to print to any decent office printer is usually a very simple affair: just find the printer, then select the manufacturer and model from the huge lists provided by CUPS, and off you go. Whether it's an HP LaserJet, a Ricoh, a Xerox, etc., it can print to any of these things. But a $30 piece of shit inkjet? Forget it. This has been the case for as long as $30 inkjets have been around, and hasn't changed, and it probably isn't going to change either, unless at some point in the future MS's near-monopoly collapses and Linux desktop systems start becoming popular (sort of like the way that many different phone makers sell their phones with different versions of Android on them, and these are doing quite well in the marketplace).

Re:Only root?

[jedidiah]

> The biggest problems with Linux are still device support and compatibility with what the user wants to do.

Nonsense.

The main problems are some notable highly proprietary walled garden holdouts and the dregs of the PC platform. For the rest, the level of support in Linux is not nearly as bad as some trolls would have you believe.

Linux faces similar challenges to MacOS in this regard.

Re:Only root?

[Barefoot+Monkey]

Are the frozen herring red by any chance? I've been looking for one forever but can never quite seem to find it.

Wild geese are known to hunt herrings of that colour. What you should do is look for a wild goose and follow it to see where it goes. That will surely be the best fishing spot for you.

Re:Only root?

[Grishnakh]

Linux on the desktop still has its problems, but printing is not one of them. Printing works great, and has for years. There's just a small catch: you can't expect to buy some piece-of-shit $30 inkjet and get it to work. You need to buy a decent printer. Generally anything by HP is fully supported, any kind of business printer is well-supported, and you can also get ~$100 laser printers these days from Samsung that have Linux support. If $100 is outside your budget for a printer, then you need to reevaluate your priorities and spending habits. $30 printers are a bad choice no matter what OS you're using; they're just a way for mfgrs to gouge you on ink supplies. Maybe someone more knowledgable about Apples will correct me here, but I don't think the situation is all that different with Macs; you can't buy just any random cheap shitty hardware device and expect it to "just work" on a Mac, you only get that when you buy Apple hardware or hardware that's specifically made to work with Macs and advertises that on the box. You can't hold Linux to a higher standard in this regard than Apple.

As for Linus, he works on the kernel only (and he made a really nice revision control system). Userspace isn't his expertise; it's like asking one of the engineers who's working on a rocket engine design what he thinks about the direction of space exploration (manned vs. unmanned, should we build a base on the moon, or mars, or send people to an asteroid first, etc.). He might have an opinion, but these policy and funding questions aren't really his domain at all, so you take his opinion with a grain of salt, even if his rocket engine design is really kick-ass. The Linux kernel is a great kernel, but Linus doesn't have any control over what the distros do with the systems they build on top of it. He can't help it if a bunch of them are putting shitty cellphone-esque UIs on it, or breaking things that used to work just fine.

Re:Only root?

[Barefoot+Monkey]

Postscript is an Apple conspiracy, designed to wear out electrons by sending too many of them through the printer cable.

I think you meant Adobe.

Adobe is an Apple conspiracy! Just look at the first and last letters. Do you think that is merely a coincidence?

Re:Only root?

[Grishnakh]

Not quite. There's never been printer device drivers compiled into the kernel. There were printer port drivers, but that's different; they just set up a virtual device at /dev/lp0 (or "PRN" in the case of DOS), and let you send data to it, so the data comes out the DB25 port on your PC. They had no control over the printer whatsoever.

Those old dot-matrix printers accepted ASCII text input, along with some control codes (other ASCII characters). So once you had a way to send ASCII data over the cable, the printer would just print anything you sent it, as-is. There was no "driver" needed at all.

Re:Only root?

[omnichad]

And it really shouldn't be that hard. If you make a print driver for Mac OS X, you likely already have a CUPS ppd created.

Re:Only root?

[Rob+Y.]

Those HP printers can be made to work great, but you still need to do some serious Googling to find out that you first need to turn off the automatic USB-based Windows install disk that the printer appears to be when you plug it in. Then some more Googling to find out how to do it.

Pretty odd that HP goes out of its way to provide drivers for its printers and then doesn't bother to even warn you about this USB drive behavior.

Re:Only root?

[Eil]

It's somehow the (free) operating system's fault because printer manufacturers design their hardware around yet another half-baked printing protocol instead of just using a standard that's been around for decades?

Re:Only root?

http://unix-tree.huihoo.org/V5/usr/sys/dmr/lp.c.html

Re:Only root?

[tftp]

It's somehow the (free) operating system's fault because printer manufacturers design their hardware around yet another half-baked printing protocol instead of just using a standard that's been around for decades?

Nobody in his right mind should pay for a separate CPU and RAM and everything else in a printer if the host can do all that, faster, and at zero cost. Rendering PostScript is not exactly a trivial matter. Printer manufacturers do the right thing here. What they aren't doing right is that they don't provide drivers for Linux. On the other hand, quite a few Linux users gave up on the desktop long ago.

Re:Only root?

[DarwinSurvivor]

Our printer is basically incompatible-proof. Not only does it accept PS, PDF, etc but you can actually FTP the pdf or PS file directly to it on port 21. The same can be done for firmware upgrades, just FTP the badboy and watch it do it's magic.

Sometimes I love HP for making things so damn simple!

Re:Only root?

[Kjella]

Setting up Linux to print to any decent office printer is usually a very simple affair: just find the printer, then select the manufacturer and model from the huge lists provided by CUPS, and off you go. Whether it's an HP LaserJet, a Ricoh, a Xerox, etc., it can print to any of these things. But a $30 piece of shit inkjet? Forget it

Here's a $30 printer that works perfectly under Linux, not that I've tried this particular one. It's more a matter of brand than price, some companies just have shit support and others are quite good.

Too much root is not a good thing

[Toe,+The]

I see this on Macs a lot. If you want to install anything, you have to type an administrator's password.

In theory, that's great. But in effect, you are giving that installer root access. So if I understand correctly, that installer could be putting any amount of spyware (or whatever) into your computer and nearly perfectly cover its tracks.

Otoh, many Mac apps are distributed as disk images, where you simply drag them from the image to your drive, and that's it. No password at all. If you're going to use pre-rolled software, that certainly seems more trustworthy. But of course, it is a lot more complicated of a process for the average user to be able to ever understand.

Re:Too much root is not a good thing

[dgatwood]

I would argue that for most users, the place they would drag them is into their Dock. Where the Application physically lives isn't that important.

Re:Too much root is not a good thing

[Trepidity]

If you drag from the .dmg volumes that OSX apps are typically distributed in to the dock, though, the dock icon will point to the app inside of the .dmg, and the link will stop working if you ever unmount the volume.

What an ass

[MatthiasF]

He could have just added the user to the sudo group and been done.

But no, he had to go harping on everyone on bug lists and social media rants to put people down, even suggesting whoever made the system should die.

What an ass.

Re:What an ass

[Rhacman]

If I understand correctly this in effect would be giving that user root priviledges. I think his complaint was that an ordinary task like adding a printer required that level of priviledge, not that it was inconvinient to do. It sounded like he wanted to administer his childs laptop without giving them free reign over it.

Re:What an ass

[MrHanky]

You don't generally use sudo when installing printers under Linux. You either use the web frontend for CUPS, in which case you're prompted for a password (either root or a user in a printer admin group), or more likely some application in the DE, in which case it's up to the PolKit configuration or whatever arcane nonsense they use these days. And yes, the default policy should be to allow users to add printers.

Re:What an ass

[Hatta]

Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.

Re:What an ass

[OzPeter]

Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.

Why does an administrator have to add anyone to anything in order to do a commonplace task on a machine that is really a commodity item?
 
Not that I have read his rants but I get where he is coming from.

Re:What an ass

[ArcherB]

If I understand correctly this in effect would be giving that user root priviledges. I think his complaint was that an ordinary task like adding a printer required that level of priviledge, not that it was inconvinient to do. It sounded like he wanted to administer his childs laptop without giving them free reign over it.

He was also a bit pissed that you need the root password to connect to a new wifi hot spot. Could imagine the network admin's nightmare of having to give the root password to a salesman trying to give a presentation on the road?

I had the same problem with my Fedora 16 (XFCE Spin) box needed the root password to eject a CD. It really sucked that my file manager couldn't do it unless I ran it as root. I don't even know what the file manager's name to run as root and I shouldn't have to. Of course it was no big deal for me to type in "sudo eject cdrom", but I wouldn't expect the average user to know that. Besides, I shouldn't have to add standard users to the sudoers group just so they can swap a friggin CD out!

Re:What an ass

[Wrath0fb0b]

Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.

Because, in any sane environment, that would require proving that the entier printer-management interface is secure enough not to allow privilege escalation or agent-based attacks. At the very least, that would require a software audit of those components that can be twiddled and probably some pen-testing and/or fuzzing. You can just say "well, this is designed to just let users add a printer so surely it can't be used to do anything else" -- I suppose you *can* say that but you ought to lose your job for that kind of thinking.

We've had large multi-user operating systems for decades now and people still don't seem to understand this basic principle -- if an interface is available to a regular user, it has to be vetted to ensure that it does not allow the user to do any more than what it advertises and that the effects of that are limited to things that the user is supposed to be able to accomplish.

Re:What an ass

[John+Hasler]

If I understand correctly this in effect would be giving that user root priviledges.

You don't. The whole point of sudo is that it gives you fine-grained control over the privileges of each user.

Re:What an ass

[DarkOx]

At some point a privileged operation more than likely has to take place. Perhaps Linus should do a little introspection about how his own kernel handles module loading?

I don't use SUSE so I don't know what I am talking about here but it seems maybe the problem is along the lines of their add user script should suggest putting new users in plugdev? Which would let udev(which runs as 0) load the required modules and the default rules would likely make a lp device writable by members of lp.

So it probably is an issue in SUSE but its also most likely a minor oversight than it is a serious flaw.

Re:What an ass

[TheLink]

With the popular Desktop Linux security models would you have enough power to pwn the system if you had the power to add a printer?

Re:What an ass

[Bill_the_Engineer]

That sounds like TSA logic!

It appears you are trying to install a printer I never seen before.

Press OK for exceedingly personal and embarrassing pat down, or READ MORE for a way to just pose nude in front of the web cam, or press CANCEL to order your cavity search online.

Re:What an ass

[ArcherB]

Has something changed, because Network Manager allowed user control over connecting to WLAN back in ... er ... 10.0 I think, or one of the 9. series. By default, in fact. I remember it annoyed me and it was uninstalled in short order, but it worked.

Personally, I'm not sure. I have not done wireless on Linux in quite some time and since I'm usually the only user on whatever system I'm using, meaning I set it up, I don't think twice about having to type in passwords. Being part of the sudoers group means I type my own password. It only becomes a problem when something like the file manager tells me that it does not have the permissions to eject the CD and doesn't know to ask for a my password. The sad part is that I am actually in the "root" group! What other group do I need to be part of? CDROM? Disk? Dbus? I don't know. I'll add myself to all of them and see if that takes care of the issue.

Now, imagine if this were a notebook and I was giving this to our sales rep to give a presentation at a potential customer's site.

Back to wireless, here is Torvald's post:

I first spent weeks arguing on a bugzilla that the security policy of requiring the root password for changing the timezone and adding a new wireless network was moronic and wrong.

I think the wireless network thing finally did get fixed, but the timezone never did - it still asks for the admin password.

And today Daniela calls me from school, because she can't add the school printer without the admin password.

Whoever moron thought that it's "good security" to require the root password for everyday things like this is mentally diseased.

So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace "my kids" with "sales people on the road" if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.

Re:What an ass

[chuckinator]

Go in to the linux box you supposedly own and type 'man 5 sudoers'. You can specify which programs a user can run as root with fine grained controls that only allow specific users or specific groups to run only specific programs. It is not an all or nothing tool even if a majority of lazy sysadmins use it that way. If it didn't have that level control, there would be no point in using it over /bin/su.

I feel you man,

[Dr.+Tom]

B.S. in C.S., M.S. Psy., Ph.D. in C.S. and B.S.*, and my job is to fix the printer ...

* That's Brain Science, you r'tard

In other news, Linus has a child old enough to install printers on Linux ... I feel old.

I guess it's reasonable ... they use to say, "you're not dating girls until you're 21!"
Now it's "You can't have the root password until you're 21!"

By the way, Linus is right, I usually disable selinux ... a good firewall is fine ..., and
also if your child clicks on an attachment from a stranger, that's a grounding.

Re:I feel you man,

[Barbara,+not+Barbie]

SELinux is a huge stinking pile. Once it's installed it can't be disabled, claims to the contrary notwithstanding. The last time I tried to disable it, my system wouldn't boot. The advice SELinux gives for overcoming alerts doesn't work more often than it does.

selinux is a mistake, but nobody wants to admit it.

There is a way to disable it, but it's not intuitive. You first off have to change a setting in the configuration, then reboot, and only then remove it. Just removing it leaves you with an unbootable system. It's easier to just say "selinux=0" at the install prompt.

Even then, the kernel still has all the call thunks for it, so while it's disabled and removed from the system, you're still paying for the overhead of an extra function call on many operations. A really bad decision which contributes to bloat, lower performance, and a larger surface for bugs and attacks. But don't tell anyone, because the self-appointed security nazis will accuse you of "not being security-minded".

Disabling it gives you an average 7% increase in performance, same as disabling swap gives you better performance (but again, so many people refuse to believe it because they believe "more swap is always better" when it was never the case, and was also the main contributor to early microckernels poor performance). And for you swap nazis, this is posted from a computer with both selinux and swap disabled, and only 2 gigs of ram ... and it continues to work just fine. Even with firefox, opera, openoffice, gimp, jedit, gedit, and thunderbird all open, it still has a gig free. Heck, even Eclipse won't trigger the OOM process killer.

(it takes some real ram, and some real cpu cycles, to run a memory cache. The bigger the cache, the worse it gets. Just like it takes real cpu cycles and real ram to run swap. The optimum was never even 2x real ram except with systems under 16 MEGS of ram ... dump the swap, you don't need it.)

My hypothesis...

[brennanw]

Linus Torvalds is the Harlan Ellison of Linux.

Ironic

[Kamiza+Ikioi]

But... G+ is a ghost town? Just yesterday, people were saying, oh, gee, why would I even be interested in G+? Now /. is pulling stories directly from there.

Mmm Hmmm...

Re:if Torvalds kid is smart enough to use

[msobkow]

More to the point: if it's the kid's laptop, why don't they already have the root password?

It sounds like "Dad" is being a bit too controlling about the computers in his home, not that the security is excessive.

Re:Geeze, what a drama queen!

[SomePgmr]

Then I'm going to have to start browsing at 0, cause that shit is dead-on.

Re:Remote ejecting

[w_dragon]

If that someone has a valid user name and password, and you leave ssh open on your laptop, sure. Why not?

Printer DoS

[tepples]

Because just because a user has one of 100 shell accounts on a machine shouldn't entitle the user to waste the paper and ink of all the printers connected to the machine.

Re:Printing?

[w_dragon]

The same hill you came up to get here?

I don't understand the problem

[dnaumov]

Installing additional hardware on a computer is most definately a function that SHOULD require administrative priviledges on a computer. Sounds like "working as intended".

Re:I don't understand the problem

[Plekto]

Actually, that's not entirely true. Modern printers usually have a control interface application that tells you how much ink is left and what print options are set and so on. Also, they talk back to the typical application in order to make sure that page settings are correct and that your preview function isn't just it hoping for the best. This is especially true of photo printers, which have a whole set of software running to make sure that your settings are properly calibrated when you scan and/or print.

Working as designed, and in fact, no different than, say, installing a sound card, which has its own software and drivers that go with it. How is the OS supposed to know that it's a legitimate driver and not some virus? I'd rather have it be too careful than take Windows approach of everything is fine unless it hits me upside my head and mugs me.

Besides, bitching about a printer just shows how insular people like him have become after all of these years. Perhaps he should just go buy an IPad and wheel himself into the retirement home.

Re:I don't understand the problem

[Mjlner]

Installing additional hardware on a computer is most definately a function that SHOULD require administrative priviledges on a computer. Sounds like "working as intended".

Except that connecting your computer to a printer is not installing hardware. Root privileges are only there to protect the integrity of the file system and operating system. If you have physical access to the computer, you already have the possibility of smashing it to smithereens, or compromising the security.

There is no reason why a properly implemented printing system should be potentially harmful to the OS. The most dangerous action of installing a printer is connecting the USB cable, which could potentially fry your computer if the hardware is malicious. Requiring root privileges will not protect you against that. After that, a properly implemented printing system is a greater risk to the printer than the OS. Requiring root privileges actually makes the printing system more potentially harmful than it needs to be. Period.

When commenting the opinions of one of The Giants, always think twice before clicking submit. There's the remote chance that they actually *are* smarter than you, no matter what you think.

Re:if Torvalds kid is smart enough to use

[inode_buddha]

Yeah he can be a control freak, but in a way I can't blame him. Can you just imagine how many black hats would like to get into Torvalds home LAN? Consider also that the man is pulling over 250 thousand $$$ per year wouldn't somebody like to sniff his network?

Re:Geeze, what a drama queen!

[Lawrence_Bird]

not only a drama queen but pretty foolish too. A business laptop should be locked down. If a user is going to need certain external hardware than it should require an administrator to verify why and do what ever is required for the install. Basically Linus is saying 'if it is inconvenient it should go!' Instead of moaning he should just use a distro with looser standards and not cry about one that is intentionally secure.

Re:Geeze, what a drama queen!

[gnapster]

A business laptop that is carried five states away to deliver a million-dollar presentation should not have any security barriers that would jepordize that presentation. I would count "Contacting IT back at our headquarters so I can use the WiFi" as just such a barrier.

Clearly, then, this is not the Year of the OpenSUSE desktop.