Ubuntu
hplip package

Wrong permissions on ~/.hplip/.gnupg

Bug #1938442 reported by zdohnal
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hplip (Ubuntu)
Won't Fix
Low
Till Kamppeter
Bionic
Won't Fix
Low
William Wilson
Focal
Won't Fix
Low
William Wilson
Hirsute
Won't Fix
Low
Unassigned
Impish
Won't Fix
Low
William Wilson
Jammy
Won't Fix
Low
Till Kamppeter

Bug Description

[Impact]
* The directory ~/.hplip/.gnupg is readable by non-root users
* This directory contains only public keys, but should still
  have the permissions changed to 700 for privacy reasons

[Test Case]
* Install hplip and run `hp-plugin -i`
* ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwxr-xr-x
* rm -rf ~/.hplip and install hplip from -proposed
* run `hp-plugin -i` again
* ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwx------

[Regression Potential]
* Because of file permissions becoming more restrictive,
  it is possible that some other hplip binaries would
  fail to read the .gnupg directory
* To ensure this isn't the case, testing should be done
  on different hplip use-cases to ensure they still
  function properly

[Original Description]
Hi,

we have a report in Fedora - https://bugzilla.redhat.com/show_bug.cgi?id=1985251 - where Sergey found out that ~/.hplip/.gnupg directory has permissions 755 instead of 700. Perms 700 prevent accessing the dir by other users, because the dir can contain private keys.

However, .gnupg dir contains only a public key used in GPG verification of HP plugin, so the matter isn't that critical, but it is good to have it fixed.

The patch is attached.

See original description
Tags: patch
Revision history for this message
zdohnal (zdohnal) wrote :
Revision history for this message
zdohnal (zdohnal) wrote :

Ubuntu 20.04 is affected too.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Proposed patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
William Wilson (jawn-smith) wrote :
description: updated
Revision history for this message
William Wilson (jawn-smith) wrote :
Revision history for this message
William Wilson (jawn-smith) wrote :
Revision history for this message
William Wilson (jawn-smith) wrote :
Revision history for this message
Sebastien Bacher (seb128) wrote :

Hey Till, could you review the sponsoring request?

Changed in hplip (Ubuntu):
assignee: nobody → Till Kamppeter (till-kamppeter)
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

The public GPG keys here are only to check the integrity of a downloaded proprietary plugin, to prevent that someone could make HPLIP download and install a fake, malware plugin. HPLIP does not load such a key as long as the user does not try to download the plugin and HPLIP dos also not do any other downloads from the internet. The keys are actually only HP's public keys. No keys of the user are stored under ~/.hplip. So wrong permissions should be harmless here.

So what you should do for testing is whether you can still download the proprietary plugin with the stricter permissions (with your patch). If it still works, the stricter permissions could be generally used, but as the keys are only public keys from HP, the stricter permissions are not actually needed.

If my assumptions are correct, I do not see a security issue here.

Can someone from HP tell whether I am right?

Revision history for this message
William Wilson (jawn-smith) wrote :

Reupload to fix s/hplib/hplip/ typo in changelog

Revision history for this message
William Wilson (jawn-smith) wrote :

Reupload to fix s/hplib/hplip/ typo in changelog

Till Kamppeter (till-kamppeter)
Changed in hplip (Ubuntu):
milestone: none → impish-updates
milestone: impish-updates → focal-updates
Changed in hplip (Ubuntu Jammy):
milestone: focal-updates → none
Mathew Hodson (mhodson)
Changed in fedora:
importance: Unknown → Undecided
status: Unknown → New
affects: fedora → ubuntu-translations
no longer affects: ubuntu-translations
affects: hplip → ubuntu-translations
no longer affects: ubuntu-translations
Mathew Hodson (mhodson)
Changed in hplip (Ubuntu Bionic):
importance: Undecided → Low
Changed in hplip (Ubuntu Focal):
importance: Undecided → Low
Changed in hplip (Ubuntu Hirsute):
importance: Undecided → Low
Changed in hplip (Ubuntu Impish):
importance: Undecided → Low
Changed in hplip (Ubuntu Jammy):
importance: Undecided → Low
Sebastien Bacher (seb128)
Changed in hplip (Ubuntu Hirsute):
status: New → Won't Fix
Changed in hplip (Ubuntu Impish):
assignee: nobody → William Wilson (jawn-smith)
Changed in hplip (Ubuntu Focal):
assignee: nobody → William Wilson (jawn-smith)
Changed in hplip (Ubuntu Bionic):
assignee: nobody → William Wilson (jawn-smith)
Revision history for this message
Sebastien Bacher (seb128) wrote :

@William, you should be able to upload yourself now right?

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Thorsten, could you also update the Debian package appropriately? And once one it, update to 3.21.10? Thanks.

Revision history for this message
Thorsten Alteholz (alteholz) wrote : Re: [Bug 1938442] Re: Wrong permissions on ~/.hplip/.gnupg

Hi Till,

On Thu, 9 Dec 2021, Till Kamppeter wrote:

> Thorsten, could you also update the Debian package appropriately? And
> once one it, update to 3.21.10? Thanks.

I don't know why someone has a problem with the permissions of a directory
containing public keys. At least the permissions of ~ should prevent
world to access the directory. From my point of view the status of this
bug in Hirsute and Fedora is the way to go ...

   Thorsten

Revision history for this message
Sebastien Bacher (seb128) wrote :

The previous explanation suggests that's not really an issue and not worth stable update so I'm going to wontfix,

William, those tasks were assigned to you so feel free to reopen and upload anyway if you feel like it's worth doing but in the current state it seems like that wasn't enough of a priority to get worked on

Till, we might still want to change the default for futur upload even if it's minor?

Changed in hplip (Ubuntu Bionic):
status: New → Won't Fix
Changed in hplip (Ubuntu Focal):
status: New → Won't Fix
Changed in hplip (Ubuntu Impish):
status: New → Won't Fix
Revision history for this message
Julian Andres Klode (juliank) wrote :

This doesn't appear worth shipping a patch for downstream either, so I am going to unsubscribe Ubuntu Sponsors and mark it Won't fix.

Changed in hplip (Ubuntu Jammy):
status: New → Won't Fix
Changed in hplip (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.