Bug#298064: hpoj: Please don't run the daemons as root

Fri, 04 Mar 2005 04:08:15 -0800 

Package: hpoj
Version: 0.91-3
Severity: wishlist
Tags: security patch

Hi!

Currently the hpoj daemons run as root. This is far too much, they
only need the "lp" and "scanner" group privileges. The Ubuntu patch
runs hpoj as user "hpojlp" in these groups, which minimizes privileges
and potential impact on security vulnerabilities:

  http://patches.ubuntu.com/patches/hpoj.deroot.diff

However, this requires some hotplug magic to modify the permissions of
the devices in /proc/bus/usb (everything is included in this patch).

Please consider adopting it for Debian.

Thanks,

Martin

hpoj (0.91-3ubuntu3) hoary; urgency=low

  * scripts/ptal-init.in: Disable creation of permission template for the
    -like parameter and don't use -like; use -mode 0660 instead.
  * Make sure that OfficeJet devices are chmod'ed to root:scanner 0660:
    - Added debian/hpoj.usermap, install to /etc/hotplug/usb/.
    - Added debian/hpoj.hotplug, install as /etc/hotplug/usb/hpoj.

 -- Martin Pitt <[EMAIL PROTECTED]>  Fri, 11 Feb 2005 14:12:34 +0100

hpoj (0.91-3ubuntu2) hoary; urgency=low

  * scripts/ptal-init.in: Start the daemons in auxililary group "scanner" to
    enable scanning functionality, too.

 -- Martin Pitt <[EMAIL PROTECTED]>  Thu, 10 Feb 2005 11:14:11 +0100

hpoj (0.91-3ubuntu1) hoary; urgency=low

  * debian/postinst:
    - Remove call to interactive configuration.
    - Create system user "hpojlp" (with primary group lp).
  * Added debian/postrm:
    - Remove system user "hpojlp" on purge.
  * De-rootification:
    - Modify ptal-printd to only attempt chown() if it is actually necessary.
      (Thanks to Matt Zimmerman)
    - scripts/ptal-init.in: Start processes as hpojlp:lp instead of root:root
      and modify directory permissions accordingly (Thanks to Matt for this
      bit).
  * Added debian/README.Debian: Explain how to call setup program.
  * debian/rules: Remove apps/xojpanel/Makefile on clean.
  * (Ubuntu #6000)

 -- Martin Pitt <[EMAIL PROTECTED]>  Thu, 10 Feb 2005 08:57:09 +0100



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages hpoj depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgcc1                     1:3.4.3-6    GCC support library
pn  libsnmp5                                 Not found.
ii  libstdc++5                  1:3.3.5-8    The GNU Standard C++ Library v3
pn  libusb-0.1-4                             Not found.

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to