[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#452705: marked as done (hplip: postinst updates arbitrary home files with priviledge escalation)

Your message dated Mon, 2 Jun 2008 22:43:23 +1000
with message-id <200806022243.36763.msp@debian.org>
and subject line fixed in package hplip - 2.8.2-0ubuntu2
has caused the Debian Bug report #452705,
regarding hplip: postinst updates arbitrary home files with priviledge escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
452705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: hplip
Version: 2.7.10-1
Tags: security
Severity: important

The postinst does this:

+       # Correct ownership of personal HPLIP config files of the users
+       # (in older HPLIP versions hp-setup created these files with root
+       #  permissions and made hp-toolbox crashing)
+       for line in `cat /etc/passwd | sed -e 's/ //g'`; do
+               user=`echo $line | cut -d : -f 1`;
+               homedir=`echo $line | cut -d : -f 6`;
+               [ -d $homedir ] && \
+                   find $homedir -maxdepth 1 -not -user $user -name .hplip* \
+                   -exec chown $user '{}' \; 2>/dev/null || :
+       done

This is really too fragile.  Even if you remove the need for the sed
by shell quoting and check if the original owner matched what's
expected, it still tries to chown files in an arbitrarily-large number
of paths (silently).  The .hplip* should be quoted, and I suspect the
chown should do chown $user:$user.

Worse, the "chown" argument will follow symbolic links, allowing users
to gain ownership of an arbitrary number of files.

I think instead you should 0) get rid of this postinst; 1) fix
hp-toolbox; 2) alert the admin about this, either with an NEWS.Debian
or with a debconf prompt; and, 3) warn the user at runtime if this
situation is detected (ssh does this).

Conceivably you could even try to fix it (copy, unlink, rename).
However that's not always guaranteed to work (if the file is
unreadable) so it's perhaps best to keep the functional changes to a
minimum and rely more on the documentation.

--- End Message ---
--- Begin Message --- 
Version: 2.8.2-1

https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/191299

This bug was fixed in the package hplip - 2.8.2-0ubuntu2
---------------
 hplip (2.8.2-0ubuntu2) hardy; urgency=low
  [ Till Kamppeter ]
   * debian/rules: Install the new fax PPD file for color fax devices
     (currently only HP LaserJet M2727 series, Ubuntu LP: #59409).
   * debian/hplip.postinst: Fix PPD paths in /etc/hp/hplip.conf, so that
     hp-setup finds the fax PPDs (Ubuntu LP: #59409).
   * debian/hplip.postinst: Removed code to correct permissions of .hplip
     personal config in user's home directories (Ubuntu LP: #191299).
  [ Mark Purcell ]
   * Added NEWS/ README entry about the need to use 'scanner' group
     - Non-root users need to be in group scanner! (Closes: #454339)
     - should use plugdev rather than scanner group (Closes: #452454)
     - sane-utils: Scanner only accessible under root (Closes: #462563)
   * Force (-f) removal of init.d scripts
     - Uses update-rc.d remove while init script exists; upgrade fails
     (Closes: #456378)
 -- Till Kamppeter <till.kamppeter@gmail.com> Tue, 26 Feb 2008 10:08:52 +0100

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
Reply to: