Debian Bug report logs - #298064
hpoj: Please don't run the daemons as root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hpoj: Please don't run the daemons as root

Date: Fri, 4 Mar 2005 12:59:15 +0100

[Message part 1 (text/plain, inline)]

Package: hpoj
Version: 0.91-3
Severity: wishlist
Tags: security patch

Hi!

Currently the hpoj daemons run as root. This is far too much, they
only need the "lp" and "scanner" group privileges. The Ubuntu patch
runs hpoj as user "hpojlp" in these groups, which minimizes privileges
and potential impact on security vulnerabilities:

  http://patches.ubuntu.com/patches/hpoj.deroot.diff

However, this requires some hotplug magic to modify the permissions of
the devices in /proc/bus/usb (everything is included in this patch).

Please consider adopting it for Debian.

Thanks,

Martin

hpoj (0.91-3ubuntu3) hoary; urgency=low

  * scripts/ptal-init.in: Disable creation of permission template for the
    -like parameter and don't use -like; use -mode 0660 instead.
  * Make sure that OfficeJet devices are chmod'ed to root:scanner 0660:
    - Added debian/hpoj.usermap, install to /etc/hotplug/usb/.
    - Added debian/hpoj.hotplug, install as /etc/hotplug/usb/hpoj.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 11 Feb 2005 14:12:34 +0100

hpoj (0.91-3ubuntu2) hoary; urgency=low

  * scripts/ptal-init.in: Start the daemons in auxililary group "scanner" to
    enable scanning functionality, too.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 10 Feb 2005 11:14:11 +0100

hpoj (0.91-3ubuntu1) hoary; urgency=low

  * debian/postinst:
    - Remove call to interactive configuration.
    - Create system user "hpojlp" (with primary group lp).
  * Added debian/postrm:
    - Remove system user "hpojlp" on purge.
  * De-rootification:
    - Modify ptal-printd to only attempt chown() if it is actually necessary.
      (Thanks to Matt Zimmerman)
    - scripts/ptal-init.in: Start processes as hpojlp:lp instead of root:root
      and modify directory permissions accordingly (Thanks to Matt for this
      bit).
  * Added debian/README.Debian: Explain how to call setup program.
  * debian/rules: Remove apps/xojpanel/Makefile on clean.
  * (Ubuntu #6000)

 -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 10 Feb 2005 08:57:09 +0100



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages hpoj depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgcc1                     1:3.4.3-6    GCC support library
pn  libsnmp5                                 Not found.
ii  libstdc++5                  1:3.3.5-8    The GNU Standard C++ Library v3
pn  libusb-0.1-4                             Not found.

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 298064-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 298064-close@bugs.debian.org

Subject: Bug#298064: fixed in hpoj 0.91-5

Date: Sat, 30 Jul 2005 07:32:35 -0700

Source: hpoj
Source-Version: 0.91-5

We believe that the bug you reported is fixed in the latest version of
hpoj, which is due to be installed in the Debian FTP archive:

hpoj-xojpanel_0.91-5_i386.deb
  to pool/main/h/hpoj/hpoj-xojpanel_0.91-5_i386.deb
hpoj_0.91-5.diff.gz
  to pool/main/h/hpoj/hpoj_0.91-5.diff.gz
hpoj_0.91-5.dsc
  to pool/main/h/hpoj/hpoj_0.91-5.dsc
hpoj_0.91-5_i386.deb
  to pool/main/h/hpoj/hpoj_0.91-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298064@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated hpoj package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 30 Jul 2005 14:48:38 +0100
Source: hpoj
Binary: hpoj-xojpanel hpoj
Architecture: source i386
Version: 0.91-5
Distribution: unstable
Urgency: low
Maintainer: Mark Purcell <msp@debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 hpoj       - HP OfficeJet Linux driver (hpoj)
 hpoj-xojpanel - HP OfficeJet Linux QT-based LCD panel display
Closes: 298064
Changes: 
 hpoj (0.91-5) unstable; urgency=low
 .
   * Rebuild for C++ ABI migration
   * Sync ubuntu changes, thanks Martin, since they were talking about this
     package in debian-devel :)
     - Closes: #298064: Please don't run the daemons as root
   * Stop conflicting with HPLIP. We are fine as long as the same device is
     NOT being used by HPOJ and HPIJS
   * Update README.Debian to better reflect hplip/README.Debian
   * chmod +x debian/hpoj/usr/bin/hpinklevel
   * Recommends: foomatic-filters
Files: 
 0f0a90bc37dc972e10998d0970ff533a 649 utils optional hpoj_0.91-5.dsc
 dfb2c57d6b2722ecf6a0c2b0a4aa27df 64611 utils optional hpoj_0.91-5.diff.gz
 eff33be4d22c4ec4a64c2a3e40985850 453086 utils optional hpoj_0.91-5_i386.deb
 efa44ca8c755bf45c94a966321376150 58412 utils optional hpoj-xojpanel_0.91-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC64YtoCzanz0IthIRAqWPAKCUtUqTL8ispwRbkoz5+0IUQc1qCgCeJo5n
3afvFMkPY79dLzck4oaALDI=
=jmLv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.