hplip once again creates logfiles in /tmp, which allows
local users to create/overwrite arbitrary files.
Thats here in base/pkit.py
class BackendService(PolicyKitService):
INTERFACE_NAME = 'com.hp.hplip'
SERVICE_NAME = 'com.hp.hplip'
LOGFILE_NAME = '/tmp/hp-pkservice.log'
[...]
Best fix would be for hplip to use the standard syslog facility,
relying on syslogd, rather than creating logfiles in /tmp.