Sanjay,
I wished there were comments in the HPLIP code which tell
how the stuff is meant (i.e. what the purpose and idea behind is).
Because I don't know for sure what the purpose and idea behind is
I can only make assumptions according to how I understand the code.
Based on this assumptions I think the following:
From my point of view "/tmp/hpcupsfax.out" is not meant
as a temporary file but as output file for debugging purpose
which (unfortunately) exists in a directory (/tmp)
where any user can create a symbolic link like for example
/tmp/hpcupsfax.out -> /etc/passwd
and then when
system ("chmod 666 /tmp/hpcupsfax.out")
would be run as root (I don't know under which user it runs)
it would do an evil thing.
When "/tmp/hpcupsfax.out" is meant as output file for debugging purpose
it would be not nice when the debugging output file name is not
a fixed name which is known in advance but instead it would be some
secure but awkward "mktemp" name like /tmp/hpcupsfax.out.XXXXXXXXXX
When "/tmp/hpcupsfax.out" is meant as output file for debugging purpose
I think it should be o.k. to remove an existing file or symbolic link
with this name via something like:
if (iLogLevel & SAVE_PCL_FILE)
{
if (system ("rm -f /tmp/hpcupsfax.out"))
{ return 1;
}
fp = fopen ("/tmp/hpcupsfax.out", "w");
system ("chmod 666 /tmp/hpcupsfax.out");
}
But because of the stick bit in the /tmp/ directory
"rm -f /tmp/hpcupsfax.out" works only for root and for the user
who had created /tmp/hpcupsfax.out
I think this could be o.k. because when the stuff is run as root
it would enforce "the right thing" and when it is run as non-root
it would do "the right thing" when /tmp/hpcupsfax.out from
the same user already exists and otherwise it would return
something like a "failed" state as far as I guess the meaning
of "return 1" in prnt/hpijs/hpcupsfax.cpp
But I am not a security expert to finally decide about it.
Sanjay,
I wished there were comments in the HPLIP code which tell
how the stuff is meant (i.e. what the purpose and idea behind is).
Because I don't know for sure what the purpose and idea behind is
I can only make assumptions according to how I understand the code.
Based on this assumptions I think the following:
From my point of view "/tmp/hpcupsfax .out" is not meant hpcupsfax. out -> /etc/passwd out")
as a temporary file but as output file for debugging purpose
which (unfortunately) exists in a directory (/tmp)
where any user can create a symbolic link like for example
/tmp/
and then when
system ("chmod 666 /tmp/hpcupsfax.
would be run as root (I don't know under which user it runs)
it would do an evil thing.
When "/tmp/hpcupsfax .out" is meant as output file for debugging purpose out.XXXXXXXXXX
it would be not nice when the debugging output file name is not
a fixed name which is known in advance but instead it would be some
secure but awkward "mktemp" name like /tmp/hpcupsfax.
When "/tmp/hpcupsfax .out" is meant as output file for debugging purpose
I think it should be o.k. to remove an existing file or symbolic link
with this name via something like:
if (iLogLevel & SAVE_PCL_FILE) out")) hpcupsfax. out", "w"); out");
{
if (system ("rm -f /tmp/hpcupsfax.
{ return 1;
}
fp = fopen ("/tmp/
system ("chmod 666 /tmp/hpcupsfax.
}
But because of the stick bit in the /tmp/ directory
"rm -f /tmp/hpcupsfax.out" works only for root and for the user
who had created /tmp/hpcupsfax.out
I think this could be o.k. because when the stuff is run as root hpcupsfax. cpp
it would enforce "the right thing" and when it is run as non-root
it would do "the right thing" when /tmp/hpcupsfax.out from
the same user already exists and otherwise it would return
something like a "failed" state as far as I guess the meaning
of "return 1" in prnt/hpijs/
But I am not a security expert to finally decide about it.