[Bug 227045] print/hplip: hp-setup allows non-root, non-group user to to write into read-only directory

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227045

            Bug ID: 227045
           Summary: print/hplip: hp-setup allows non-root,non-group user
                    to to write into read-only directory
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: woodsb02 at freebsd.org
          Reporter: freebsd at dreamchaser.org
          Assignee: woodsb02 at freebsd.org
             Flags: maintainer-feedback?(woodsb02 at freebsd.org)

hplip installs hp-setup to configure printers
This involves generating a .ppd file and writing it to /usr/local/etc/cups/ppd
This can be done by a non-root user.

The directory written:
$ ls -dl /usr/local/etc/cups/ppd
drwxr-xr-x  2 root  cups  512 Mar 28 12:09 /usr/local/etc/cups/ppd

The user involved: cupsadmin
$ grep cupsadmin /etc/group
wheel:*:0:root,cupsadmin
operator:*:5:root,cupsadmin
cups:*:193:cupsadmin

Note that while user cupsadmin is a member of wheel, the directory written
is only writeable by root; and while the user cupsadmin is also a member of
cups, the directory is not writeable by group cups.

The file written:
$ ls -lt /usr/local/etc/cups/ppd/HP*
-rw-r-----  1 root  cups  31122 Mar 28 12:03
/usr/local/etc/cups/ppd/HP_Officejet_Pro_8500_A909g.ppd

-- 
You are receiving this mail because:
You are the assignee for the bug.