https://bugzilla.novell.com/show_bug.cgi?id=876116
https://bugzilla.novell.com/show_bug.cgi?id=876116#c3
--- Comment #3 from Johannes Meixner 2014-05-06 11:21:48 CEST ---
Up to 24 Tue 2012 we had in our hplip package a
/etc/sysconfig/SuSEfirewall2.d/services/hplip file, see
https://bugzilla.novell.com/show_bug.cgi?id=528819#c2
But since Apr 24 Tue 2012 that file is no longer provided, see
https://bugzilla.novell.com/show_bug.cgi?id=757354#c10
Nowadays we have in our hplip source package the patch
neither-add_user_to_group-nor-open_mdns_port.diff
that deactivates add_user_to_group and open_mdns_port
in distros.dat for SUSE distros to avoid security issues
when normal users get added to system groups 'lp' and 'sys'
see https://bugs.launchpad.net/bugs/1197416
and https://bugs.launchpad.net/bugs/1112306
and to avoid security issues when ports in the firewall
get opened see https://bugs.launchpad.net/bugs/426161
In the end this should result the same
basic secure behaviour as I also described in
https://bugs.launchpad.net/hplip/+bug/1197416/comments/4
(excerpt):
---------------------------------------------------------------------------
In general I urgently recommend not to lower existing
security settings in a Linux system without first explicit
information for the admin (i.e. "root) and then explicit
confirmation by the admin of the Linux system
---------------------------------------------------------------------------
Regarding firewall and HPLIP this means:
HPLIP must not try to somehow automatically lower existing
firewall settings without first explicit information for
the admin and then explicit confirmation by the admin.
This means when existing firewall settings make it impossible
for HPLIP to autodetect remote printers or to use them,
then HPLIP must not try to somehow automatically change
the existing firewall settings to make it "just work".
As far as I know the solution when existing firewall settings
make it impossible for HPLIP to autodetect or use printers is
that HPLIP communicates with the user.
HPLIP should first and foremost show explicit information
what the issue is.
Then HPLIP may let the user authenticate to be an admin,
then explicitly tell the admin what HPLIP wants to change, and
finally get an explicit confirmation by the admin to apply that change.
Alternatively for openSUSE HPLIP could only show explicit information
what the issue is and point the user to the YaST firewall module
to adapt the firewall settings via the YaST firewall module
for example with a text like:
HPLIP cannot autodetect remote printers or to use them.
Perhaps existing firewall settings make it impossible.
If you run a firewall and when you are in a trusted
network environment, you may open the ports for the
network services "mdns" and "svrloc" in the firewall.
For openSUSE you can use the YaST firewall module for it.
Bottom line:
The basic issue is that HPLIP must not shomehow automatically
change existing security settings to make things "just work".
See also "Security: Make Things Not Just Work" at
http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.