hp-config_usb_printer can result spooky popups for wrong user

Bug #1221348 reported by Johannes Meixner on 2013-09-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

I run hplip-3.13.8 RPMs made by the openSUSE build service
on my openSUSE 12.3 32-bit virtual machine
with a HP LaserJet 1020 connected via USB.

I am logged in there as normal user "johannes"
running a graphical desktop.

Additionally I am logged in from a remote host
via ssh as root on that openSUSE 12.3 system.

On the remote host in the ssh session I did the following:
# lsusb
Bus 001 Device 009: ID 03f0:2b17 Hewlett-Packard LaserJet 1020

# rm -r /usr/share/hplip/fax/plugins /usr/share/hplip/scan/plugins \
 /usr/share/hplip/data/firmware /usr/share/hplip/data/plugins \

# rm /var/lib/hp/hplip.state

# hp-config_usb_printer 001:009
HP Device Plug-in is not found
hp-firmware -y3 -s 001:009
warning: Failed to download firmware to hp:/usb/HP_LaserJet_1020?serial=JL50HRE device

# lpstat -p
printer HP_LaserJet_1020 is idle. enabled since Thu 05 Sep 2013 18:58:00 CEST

I have now a new print queue but it cannot work
because it neither downloaded and installed the
required plugin nor did it upload the firmware
into the printer.

The interesting thing is that hp-config_usb_printer
triggers that popups are shown at the
graphical desktop for the normal user "johannes".

The first popup has title
"HP Device Manager - Plug-in Installer"
and tells about a required plugin installation.

When I as normal user "johannes" click [Next]
in that popup I am asked for the root password.
There is a "_Details" tag and when I click it is shows:
"Command: hp-plugin -u --required --reason 0 To_install_plugin_for_HP_Device"

Assume as normal user "johannes" I don't know
the root password so that I click [Cancel].

That shows another "HP Device Manager - Plug-in Installer"
popup that reads: "Failed to install Plug-in ... [OK]"

Clicking that [OK] finally puts an end to the apparition.

The correct way would be when hp-config_usb_printer
asks the user that had launched it for plugin download
and installation and firmware upload.

Decoupling plugin download and installation and firmware upload
from the program that was initially started results that bad behaviour.

Assume it is not a single user home system but in a
business environment a workstation where a normal user
is currently working while an admin logs in from remote
to do administrative tasks.

Hi Johannes Meixner,

hp-config_usb_printer script is mainly to initialize device and handle the issues using the udev. This script is for internal use but not public tool for administrative tasks.

Please use "hp-setup" to setup new the device, use "hp-doctor" to diagnose problems on the existing queues.

Thanks & Regards,

Johannes Meixner (jsmeix) wrote :

Hello Amarnath Chitumalla,

from how hp-config_usb_printer behaves I already thought that it is probably meant
only as an internal tool for HPLIP.

But at least in hplip-3.13.8 (I am currently working on the upgrade to hplip-3.13.9)
"hp-config_usb_printer -h" shows:
Detects HP printers connected using USB and installs HPLIP printers and faxes
in the CUPS spooler. Tries to automatically determine the correct PPD file to use.

Nothing in "hp-config_usb_printer -h" tells about that it is "for internal use but not
public tool for administrative tasks".

Because I am a "good admin" I had read "hp-config_usb_printer -h" carefully
before I did run it ;-)

I.e. the first issue is that it is not properly documented.

The second (more severe) issue is that hp-config_usb_printer
is executable by any user as /usr/bin/hp-config_usb_printer
(which is a link that points to ../share/hplip/config_usb_printer.py).

The Filesystem Hierarchy Standard (FHS) tells about /usr/bin/
/usr/bin : Most user commands
This is the primary directory of executable commands on the system.

Accordingly /usr/bin/hp-config_usb_printer is meant to be a command
that can be called by any user.

If hp-config_usb_printer would be meant to be a command only for admins
it should be /usr/sbin/hp-config_usb_printer according to FHS
/usr/sbin : Non-essential standard system binaries
This directory contains any non-essential binaries used exclusively
by the system administrator.
System administration programs that are required for system repair,
system recovery, mounting /usr, or other essential functions must
be placed in /sbin instead.

But when hp-config_usb_printer is an internal executable for HPLIP
it should be not at all in a standard "bin" directory (i.e. a directory
that is usually in $PATH).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers