Bad PrivateTmp=true workaround
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
Fix Released
|
Undecided
|
Unassigned | ||
Arch Linux |
New
|
Undecided
|
Tom E. Gundersen |
Bug Description
In HPLIP-3.12.6, hpfax has this:
# REVISIT:
tmp_dir = '/tmp'
Cups_
if os.path.
cmd="grep PrivateTmp=true %s"%Cups_
sts, out = utils.run(cmd)
if sts == 0:
tmp_dir = '/var/log/hp'
This is wrong. Firstly, /usr/lib/
Besides, why not just use an HPLIP-private directory regardless of whether PrivateTmp is in use in CUPS? Why try to create a predictable filename in /tmp (and thus expose yourself to a denial of service by someone already having created them all), when you can just as easily use your own directory?
I'd suggest something like /var/run/hp.
Even better, since this is all in order to send a D-Bus message with data, why not change the D-Bus API so that a file descriptor is passed directly to the D-Bus service? (See e.g. colord or printerd for an example of this.)
In 3.12.11 it's even worse: now /var/log/hp and /var/log/hp/tmp are both world-writeable! That's really bad news. Any user can now e.g. delete files they don't own, etc.
Please don't use temporary directories for transferring files between different contexts. For the fax service, D-Bus is able to transfer files in method calls (by passing file descriptors) and this is a much better way of doing it than (a) writing to predictable filenames and risking symlink attacks, or (b) leaving world-writeable directories around tempting DoS attacks.