Hi Johannes, > > HPLIP 2.7.10 - This release has the following changes: > > > > 1. Made a change to 55-hpmud.rules ... > > I do not understand why there is OWNER="lp" in 55-hpmud.rules. > > When the owner is lp, then any CUPS filter script or backend > can change the permissions as it likes, for example via > http://www.cups.org/str.php?L790 > > With the default MODE="0666" there is not much to change for > a possible attacker but think about that the admin may have > specified a more restrictive mode but forgot to also change > the owner to root. > > To be more on the safe side, I would like to have > OWNER="root", GROUP="lp", MODE="0666" by default for openSUSE. > > Is there any functionality which does no longer work out of > the box if OWNER="root"?
Actually I made the OWNER="lp" change in 2.7.9 not 2.7.10. Changing OWNER="lp" to OWNER="root" is a valid change. The only reason I changed it was I thought OWNER="lp" would be more secure than OWNER="root" with MODE="0666". I don't claim to be a security expert, but if OWNER="root" is not a problem I would be happy to change it. > For MODE="0666" the crucial question is whether or not it is > possible that another user (e.g. someone who is logged in > from remote) can somehow eavesdrop when a (confidental) > document is printed or scanned. > > Is eavesdropping somehow possible with MODE="0666"? Given only one process can claim the USB interface for reading or writing, and claiming the interface is arbitrated by the kernel, I would say no other process could snoop the print job or scan job. Setting the permissions to MODE="0666" is strictly the default for hplip tar ball install. We have a lot of customers performing the tar ball install so this makes it much easer from a customer support standpoint with all the different distributions. I would be glad to support a less permissive user policy with "resmgr" or "ConsoleKit", but these are Suse and Fedora specific solutions (right?). So for now I'm happy to let you set your own user policies in your binary packages. I will let Raghu answer your hpijs ZJStream questions. -dave > > 17. Added support for the following new printer(s): > ... > > - HP LaserJet 1018 (LJZjsMono w/plug-in) > > - HP LaserJet 1020 (LJZjsMono w/plug-in) > > - HP LaserJet 1022 (LJZjsMono w/plug-in) > > - HP LaserJet 1022n (LJZjsMono w/plug-in) > > - HP LaserJet 1022nw (LJZjsMono w/plug-in) > > For openSUSE I provide only HPIJS as package hpijs-standalone. > Currently this package contains only /usr/bin/hpijs and some > documentation. > > I build it via > ------------------------------------------------------------ > ./configure --prefix=/usr \ > --libdir=%_libdir \ > --disable-foomatic-xml-install \ > --disable-foomatic-ppd-install \ > --disable-doc-build \ > --enable-hpijs-only-build > make > ------------------------------------------------------------ > > Assume the user has a ZJStream printer and he has somehow > manually downloaded the necessary plug-in. > > Would then the plain /usr/bin/hpijs work for his ZJStream printer? > > I.e. would the plain /usr/bin/hpijs autmatically find his > plug-in and use it or is additional software needed and in > case of the latter which additional software from HPLIP is needed? > > > By the way: > There is nothing about the new LJZjsMono device class at > http://hplip.sourceforge.net/tech_docs/device_classes.html > or about the new plug-in mechanism at > http://hplip.sourceforge.net/tech_docs/hpijs.html > > > Kind Regards > Johannes Meixner ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ HPLIP-Devel mailing list HPLIP-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hplip-devel
