Re: [SLUG] / /etc and /var owned by hplip

From: Daniel Jarboe (daniel.jarboe@gmail.com)
Date: Wed Dec 07 2005 - 07:21:03 EST


On 12/7/05, Sick Twist <thesicktwist@hotmail.com> wrote:
> I just noticed some ownership weirdness while I was tinkering:
>
> jconte@naja:~$ ls -ld /etc /var /
> drwxr-xr-x 22 hplip lp 696 2005-11-23 21:18 /
> drwxr-xr-x 112 hplip lp 6176 2005-12-07 01:01 /etc
> drwxr-xr-x 14 hplip lp 336 2005-03-04 16:39 /var
>
> These are the only directories that appear to be affected. I think hplip is
> a program related to the HP printer driver but it worries me to see such
> important directories owned by what I assume is a trivial program. However,
> I don't want to mess up the printer configuration in case write access is
> needed for /etc or /var for some reason. ( Write access to root still seems
> bizarre though.)
>
> Should I chown root.root these directories or let them be? Could this be the
> sign of a bug with the package manager or a crack attempt?
>
> -Jonathon

Yes, chown root.root / /etc /var

If the HP driver installer did this, it is wrong. If your print
breaks when you correct the ownership, you know how you can get it
working again in a pinch.

You might also want to do a find / -user hplip -group hplip
Certain directories could be considered, but /, /etc, and /var are not
among them

If this was a verified dpkg or rpm file from a "reliable" source, then
yes, probably a (surprising) bug with the way the driver was packaged.
 If this is a ./configure;make;make install deal, I'm curious if you
provided some ./configure flags incorrectly. Where'd you get the
install package/source?

The ownership is not necessarily evidence of a crack attempt, but if
there is something exploitable in a process running with that userid,
the attacker now has write access to /, /etc, and /var.

~ Daniel

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:15:21 EDT