Package: hpoj Version: 0.91-3 Severity: wishlist Tags: security patch Hi!
Currently the hpoj daemons run as root. This is far too much, they only need the "lp" and "scanner" group privileges. The Ubuntu patch runs hpoj as user "hpojlp" in these groups, which minimizes privileges and potential impact on security vulnerabilities: http://patches.ubuntu.com/patches/hpoj.deroot.diff However, this requires some hotplug magic to modify the permissions of the devices in /proc/bus/usb (everything is included in this patch). Please consider adopting it for Debian. Thanks, Martin hpoj (0.91-3ubuntu3) hoary; urgency=low * scripts/ptal-init.in: Disable creation of permission template for the -like parameter and don't use -like; use -mode 0660 instead. * Make sure that OfficeJet devices are chmod'ed to root:scanner 0660: - Added debian/hpoj.usermap, install to /etc/hotplug/usb/. - Added debian/hpoj.hotplug, install as /etc/hotplug/usb/hpoj. -- Martin Pitt <[EMAIL PROTECTED]> Fri, 11 Feb 2005 14:12:34 +0100 hpoj (0.91-3ubuntu2) hoary; urgency=low * scripts/ptal-init.in: Start the daemons in auxililary group "scanner" to enable scanning functionality, too. -- Martin Pitt <[EMAIL PROTECTED]> Thu, 10 Feb 2005 11:14:11 +0100 hpoj (0.91-3ubuntu1) hoary; urgency=low * debian/postinst: - Remove call to interactive configuration. - Create system user "hpojlp" (with primary group lp). * Added debian/postrm: - Remove system user "hpojlp" on purge. * De-rootification: - Modify ptal-printd to only attempt chown() if it is actually necessary. (Thanks to Matt Zimmerman) - scripts/ptal-init.in: Start processes as hpojlp:lp instead of root:root and modify directory permissions accordingly (Thanks to Matt for this bit). * Added debian/README.Debian: Explain how to call setup program. * debian/rules: Remove apps/xojpanel/Makefile on clean. * (Ubuntu #6000) -- Martin Pitt <[EMAIL PROTECTED]> Thu, 10 Feb 2005 08:57:09 +0100 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages hpoj depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libgcc1 1:3.4.3-6 GCC support library pn libsnmp5 Not found. ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3 pn libusb-0.1-4 Not found. -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature