[Pkg-hpijs-devel] Bug#452705: hplip: postinst updates arbitrary home files with priviledge escalation

Justin Pryzby jpryzby+d at quoininc.com
Sat Nov 24 17:39:39 UTC 2007


Package: hplip
Version: 2.7.10-1
Tags: security
Severity: important

The postinst does this:

+       # Correct ownership of personal HPLIP config files of the users
+       # (in older HPLIP versions hp-setup created these files with root
+       #  permissions and made hp-toolbox crashing)
+       for line in `cat /etc/passwd | sed -e 's/ //g'`; do
+               user=`echo $line | cut -d : -f 1`;
+               homedir=`echo $line | cut -d : -f 6`;
+               [ -d $homedir ] && \
+                   find $homedir -maxdepth 1 -not -user $user -name .hplip* \
+                   -exec chown $user '{}' \; 2>/dev/null || :
+       done

This is really too fragile.  Even if you remove the need for the sed
by shell quoting and check if the original owner matched what's
expected, it still tries to chown files in an arbitrarily-large number
of paths (silently).  The .hplip* should be quoted, and I suspect the
chown should do chown $user:$user.

Worse, the "chown" argument will follow symbolic links, allowing users
to gain ownership of an arbitrary number of files.

I think instead you should 0) get rid of this postinst; 1) fix
hp-toolbox; 2) alert the admin about this, either with an NEWS.Debian
or with a debconf prompt; and, 3) warn the user at runtime if this
situation is detected (ssh does this).

Conceivably you could even try to fix it (copy, unlink, rename).
However that's not always guaranteed to work (if the file is
unreadable) so it's perhaps best to keep the functional changes to a
minimum and rely more on the documentation.





More information about the Pkg-hpijs-devel mailing list