Menu
▾
▴
Re: [HPLIP-Devel] HP Linux Imaging and Printing System (HPLIP) 2.7.10 Release
|
From: Tim W. <tw...@re...> - 2007-10-23 14:19:26
|
On Tue, 2007-10-23 at 15:37 +0200, Johannes Meixner wrote: > > 1. Made a change to 55-hpmud.rules ... >=20 > I do not understand why there is OWNER=3D"lp" in 55-hpmud.rules. >=20 > When the owner is lp, then any CUPS filter script or backend > can change the permissions as it likes, for example via > http://www.cups.org/str.php?L790 >=20 > With the default MODE=3D"0666" there is not much to change for > a possible attacker but think about that the admin may have > specified a more restrictive mode but forgot to also change > the owner to root. >=20 > To be more on the safe side, I would like to have > OWNER=3D"root", GROUP=3D"lp", MODE=3D"0666" by default for openSUSE. For a solution to this problem that does not allow arbitrary write access, but instead constrains access to (a) the print spooler and (b) the console user(s), please see my write-up of how we approached HPLIP device permissions for Fedora 8: http://cyberelk.net/tim/2007/10/04/hplip-device-permissions-with-consolekit= / Tim. */ |
