Re: [SLUG] / /etc and /var owned by hplip

• Next message: Eben King: "RE: [SLUG] Apache is driving me nuts"
• Previous message: Kwan Lowe: "Re: [SLUG] Apache is driving me nuts"
• In reply to: Daniel Jarboe: "Re: [SLUG] / /etc and /var owned by hplip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: Daniel Jarboe <daniel.jarboe@gmail.com>
>Reply-To: slug@nks.net
>To: slug@nks.net
>Subject: Re: [SLUG] / /etc and /var owned by hplip
>Date: Wed, 7 Dec 2005 07:21:03 -0500
>
>Yes, chown root.root / /etc /var
>
>If the HP driver installer did this, it is wrong. If your print
>breaks when you correct the ownership, you know how you can get it
>working again in a pinch.
>
>You might also want to do a find / -user hplip -group hplip
>Certain directories could be considered, but /, /etc, and /var are not
>among them
>
>If this was a verified dpkg or rpm file from a "reliable" source, then
>yes, probably a (surprising) bug with the way the driver was packaged.
> If this is a ./configure;make;make install deal, I'm curious if you
>provided some ./configure flags incorrectly. Where'd you get the
>install package/source?
>
>The ownership is not necessarily evidence of a crack attempt, but if
>there is something exploitable in a process running with that userid,
>the attacker now has write access to /, /etc, and /var.
>
>~ Daniel

The box is running Ubuntu Breezy and the packages came from the official
repository. However, the system was upgraded from Hoary so I guess it would
be difficult to isolate the point and package that this made this
alteration.

jconte@naja:~$ apt-cache search ^hplip
hplip-base - HP Linux Printing and Imaging System - base system
hplip-data - HP Linux Printing and Imaging - data files
hplip-ppds - HP Linux Printing and Imaging - PPD files
hplip - HP Linux Printing and Imaging System (hplip) - GUI

Only hplip-base, hplip-data, and hplip-ppds are currently installed. These
other directories are owned by hplip as well:

jconte@naja:~$ sudo find / -user hplip -type d -exec ls -ld '{}' ';'
drwxr-xr-x 2 hplip lp 48 2005-05-14 15:55 /etc/ptal
drwxr-xr-x 17 hplip lp 696 2005-12-07 00:24 /var/run
drwxr-xr-x 2 hplip root 176 2005-12-02 22:22 /var/run/hplip
drwxr-xr-x 2 hplip lp 48 2005-08-05 19:53 /var/run/ptal-mlcd
drwxr-xr-x 2 hplip lp 48 2005-08-05 19:53 /var/run/ptal-printd

My guess is that /var/run should be owned by root as well. The other
directories look OK. Funny thing is that /etc/ptal is empty:

jconte@naja:~$ ls -lA /etc/ptal
total 0

I guess I'll revert the owner and group for /, /etc, /var, and /var/run.
-Jonathon

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: Eben King: "RE: [SLUG] Apache is driving me nuts"
• Previous message: Kwan Lowe: "Re: [SLUG] Apache is driving me nuts"
• In reply to: Daniel Jarboe: "Re: [SLUG] / /etc and /var owned by hplip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:18:00 EDT