[Bug 1938442] Re: Wrong permissions on ~/.hplip/.gnupg

Till Kamppeter 1938442 at bugs.launchpad.net
Mon Nov 1 10:17:15 UTC 2021 

The public GPG keys here are only to check the integrity of a downloaded
proprietary plugin, to prevent that someone could make HPLIP download
and install a fake, malware plugin. HPLIP does not load such a key as
long as the user does not try to download the plugin and HPLIP dos also
not do any other downloads from the internet. The keys are actually only
HP's public keys. No keys of the user are stored under ~/.hplip. So
wrong permissions should be harmless here.

So what you should do for testing is whether you can still download the
proprietary plugin with the stricter permissions (with your patch). If
it still works, the stricter permissions could be generally used, but as
the keys are only public keys from HP, the stricter permissions are not
actually needed.

If my assumptions are correct, I do not see a security issue here.

Can someone from HP tell whether I am right?

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1938442

Title:
  Wrong permissions on ~/.hplip/.gnupg

Status in HPLIP:
  New
Status in hplip package in Ubuntu:
  New
Status in Fedora:
  Unknown

Bug description:
  [Impact]
  * The directory ~/.hplip/.gnupg is readable by non-root users
  * This directory contains only public keys, but should still
    have the permissions changed to 700 for privacy reasons

  [Test Case]
  * Install hplip and run `hp-plugin -i` 
  * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwxr-xr-x
  * rm -rf ~/.hplip and install hplip from -proposed
  * run `hp-plugin -i` again
  * ls -al ~/.hplip and observe that ~/.hplip/.gnupg has perms drwx------

  [Regression Potential]
  * Because of file permissions becoming more restrictive,
    it is possible that some other hplip binaries would
    fail to read the .gnupg directory
  * To ensure this isn't the case, testing should be done
    on different hplip use-cases to ensure they still
    function properly

  [Original Description]
  Hi,

  we have a report in Fedora -
  https://bugzilla.redhat.com/show_bug.cgi?id=1985251 - where Sergey
  found out that ~/.hplip/.gnupg directory has permissions 755 instead
  of 700. Perms 700 prevent accessing the dir by other users, because
  the dir can contain private keys.

  However, .gnupg dir contains only a public key used in GPG
  verification of HP plugin, so the matter isn't that critical, but it
  is good to have it fixed.

  The patch is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/1938442/+subscriptions

More information about the Ubuntu-sponsors mailing list