** Description changed:

+ [Impact]
+ * The directory ~/.hplip/.gnupg is readable by non-root users
+ * This directory contains only public keys, but should still
+   have the permissions changed to 700 for privacy reasons
+ 
+ [Test Case]
+ * Install hplip and run `hp-plugin -i` 
+ * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwxr-xr-x
+ * rm -rf ~/.hplip and install hplip from -proposed
+ * run `hp-plugin -i` again
+ * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwx------
+ 
+ [Regression Potential]
+ * Because of file permissions becoming more restrictive,
+   it is possible that some other hplip binaries would
+   fail to read the .gnupg directory
+ * To ensure this isn't the case, testing should be done
+   on different hplip use-cases to ensure they still
+   function properly
+ 
+ [Original Description]
  Hi,
  
  we have a report in Fedora -
  https://bugzilla.redhat.com/show_bug.cgi?id=1985251 - where Sergey found
  out that ~/.hplip/.gnupg directory has permissions 755 instead of 700.
  Perms 700 prevent accessing the dir by other users, because the dir can
  contain private keys.
  
  However, .gnupg dir contains only a public key used in GPG verification
  of HP plugin, so the matter isn't that critical, but it is good to have
  it fixed.
  
  The patch is attached.

** Patch added: "Jammy debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/1938442/+attachment/5537374/+files/lp1938442_jammy.debdiff

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to hplip in Ubuntu.
https://bugs.launchpad.net/bugs/1938442

Title:
  Wrong permissions on ~/.hplip/.gnupg

Status in HPLIP:
  New
Status in hplip package in Ubuntu:
  New
Status in Fedora:
  Unknown

Bug description:
  [Impact]
  * The directory ~/.hplip/.gnupg is readable by non-root users
  * This directory contains only public keys, but should still
    have the permissions changed to 700 for privacy reasons

  [Test Case]
  * Install hplip and run `hp-plugin -i` 
  * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwxr-xr-x
  * rm -rf ~/.hplip and install hplip from -proposed
  * run `hp-plugin -i` again
  * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwx------

  [Regression Potential]
  * Because of file permissions becoming more restrictive,
    it is possible that some other hplip binaries would
    fail to read the .gnupg directory
  * To ensure this isn't the case, testing should be done
    on different hplip use-cases to ensure they still
    function properly

  [Original Description]
  Hi,

  we have a report in Fedora -
  https://bugzilla.redhat.com/show_bug.cgi?id=1985251 - where Sergey
  found out that ~/.hplip/.gnupg directory has permissions 755 instead
  of 700. Perms 700 prevent accessing the dir by other users, because
  the dir can contain private keys.

  However, .gnupg dir contains only a public key used in GPG
  verification of HP plugin, so the matter isn't that critical, but it
  is good to have it fixed.

  The patch is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/1938442/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to