Changes ownership of root directory to hplip:lp

Bug #191299 reported by Matt Zimmerman on 2008-02-12
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hplip (Ubuntu)
High
Till Kamppeter
Gutsy
Undecided
Unassigned

Bug Description

Binary package hint: hplip

I noticed that my root directory had incorrect ownership:

mizar:[~] ls -ld /
drwxr-xr-x 22 hplip lp 4096 2008-01-14 12:25 /
mizar:[~] stat /
  File: `/'
  Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2 Links: 22
Access: (0755/drwxr-xr-x) Uid: ( 108/ hplip) Gid: ( 7/ lp)
Access: 2008-01-14 12:32:01.000000000 +0000
Modify: 2008-01-14 12:25:19.000000000 +0000
Change: 2008-01-14 12:25:19.000000000 +0000

I'm only guessing that hplip is at fault, but it seems a good place to start.

Matt Zimmerman (mdz) wrote :

This looks rather fragile...

        # Correct ownership of personal HPLIP config files of the users
        # (in older HPLIP versions hp-setup created these files with root
        # permissions and made hp-toolbox crashing)
        for line in `cat /etc/passwd | sed -e 's/ //g'`; do
                user=`echo $line | cut -d : -f 1`;
                homedir=`echo $line | cut -d : -f 6`;
                [ -d $homedir ] && \
                    find $homedir -maxdepth 1 -not -user $user -name .hplip* \
                    -exec chown $user '{}' \; 2>/dev/null || :
        done

Till Kamppeter (till-kamppeter) wrote :

Matt, this piece of code cannot change the ownershps and permissions of /, as it only modifies files which fit the mask .hplip*/

Matt, and anyone else who suffers this bug, please restore the ownerships and permissions of the root directory manually (root.root 755) and then install the newest HPLIP package (or do simply an auto update on your system, new HPLIP version is 2.8.2-0ubuntu1).

Do the ownerships and permissions of / change again?

On Wed, Feb 13, 2008 at 10:38:58PM -0000, Till Kamppeter wrote:
> Matt, this piece of code cannot change the ownershps and permissions of
> /, as it only modifies files which fit the mask .hplip*/

There are a few problems with that code.

1. It's modifying data in user home directories. Package maintainer scripts
should avoid doing this, because mistakes could damage user data, it's very
difficult to do correctly, and on some systems, there may be tens of
thousands of home directories on a remote server somewhere, which may not
even be accessible.

2. It's also attempting to do this for system users (including root!) which
is even worse, since modifying these home directories can catastrophically
damage the system.

3. It's reading /etc/passwd to get account data. This means that it doesn't
actually find all of the user accounts, because they might be in a database
(but it certainly does find the system ones)

4. The parser is buggy: it doesn't do proper shell quoting. What happens
if the line in /etc/passwd has shell metacharacters in it, like *?

$ line='user:x:123:123:Hello * World:/home/user:/bin/bash'
$ echo $line
user:x:123:123:Hello Desktop Documents Maildir Music PDF Photos Pictures Public Templates Videos public_html src temp texmf World:/home/user:/bin/bash

5. The find command is buggy: it doesn't quote properly either. What
happens if I happen to run apt-get upgrade from a directory which contains a
file called ".hplip"?

6. It ignores errors. If something did go wrong when this code (or an
earlier version of it) ran, I would have never noticed it until I happened
to come across the damage in my filesystem (as I now have).

> Matt, and anyone else who suffers this bug, please restore the
> ownerships and permissions of the root directory manually (root.root
> 755) and then install the newest HPLIP package (or do simply an auto
> update on your system, new HPLIP version is 2.8.2-0ubuntu1).
>
> Do the ownerships and permissions of / change again?

No, I am not able to reproduce the conditions this way, but with all of the
variables involved (including the state of the filesystem and the current
working directory), this doesn't tell us very much.

Regardless of whether or not it can be found to be the root cause of this
particular bug, the code I quoted should be removed from hplip.postinst.

--
 - mdz

Changed in hplip:
assignee: nobody → till-kamppeter
importance: Undecided → High
status: New → Confirmed
Changed in hplip:
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hplip - 2.8.2-0ubuntu2

---------------
hplip (2.8.2-0ubuntu2) hardy; urgency=low

  [ Till Kamppeter ]
  * debian/rules: Install the new fax PPD file for color fax devices
    (currently only HP LaserJet M2727 series, Ubuntu LP: #59409).
  * debian/hplip.postinst: Fix PPD paths in /etc/hp/hplip.conf, so that
    hp-setup finds the fax PPDs (Ubuntu LP: #59409).
  * debian/hplip.postinst: Removed code to correct permissions of .hplip
    personal config in user's home directories (Ubuntu LP: #191299).

  [ Mark Purcell ]
  * Added NEWS/ README entry about the need to use 'scanner' group
    - Non-root users need to be in group scanner! (Closes: #454339)
    - should use plugdev rather than scanner group (Closes: #452454)
    - sane-utils: Scanner only accessible under root (Closes: #462563)
  * Force (-f) removal of init.d scripts
    - Uses update-rc.d remove while init script exists; upgrade fails
    (Closes: #456378)

 -- Till Kamppeter <email address hidden> Tue, 26 Feb 2008 10:08:52 +0100

Changed in hplip:
status: In Progress → Fix Released
Changed in hplip:
status: New → Confirmed
Ansgar Burchardt (aburch) wrote :

Are there any plans for a fix in Gutsy? I have prepared a small patch removing the problematic code from the version in Gutsy (see attachment).

Regards,
Ansgar

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hplip - 2.7.7.dfsg.1-0ubuntu5.3

---------------
hplip (2.7.7.dfsg.1-0ubuntu5.3) gutsy-security; urgency=low

  * debian/hplip.postinst: Removed code to correct permissions of .hplip
    personal config in user's home directories (Ubuntu LP: #191299).

 -- Ansgar Burchardt <email address hidden> Thu, 18 Dec 2008 12:45:10 +0100

Changed in hplip:
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Thanks for the patch Ansgar!

This will be published today.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers