On Tue, 2007-10-23 at 15:37 +0200, Johannes Meixner wrote: > > 1. Made a change to 55-hpmud.rules ... > > I do not understand why there is OWNER="lp" in 55-hpmud.rules. > > When the owner is lp, then any CUPS filter script or backend > can change the permissions as it likes, for example via > http://www.cups.org/str.php?L790 > > With the default MODE="0666" there is not much to change for > a possible attacker but think about that the admin may have > specified a more restrictive mode but forgot to also change > the owner to root. > > To be more on the safe side, I would like to have > OWNER="root", GROUP="lp", MODE="0666" by default for openSUSE.
For a solution to this problem that does not allow arbitrary write access, but instead constrains access to (a) the print spooler and (b) the console user(s), please see my write-up of how we approached HPLIP device permissions for Fedora 8: http://cyberelk.net/tim/2007/10/04/hplip-device-permissions-with-consolekit/ Tim. */
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ HPLIP-Devel mailing list HPLIP-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hplip-devel