blog.crox.net

In Ubuntu Karmic (and possibly Jaunty ?), when you install libsane, it adds a file /lib/udev/rules.d/40-libsane.rules which contains rules that match on supported scanners and set the environment variable "libsane_matched" to "yes".

This in turn triggers the following in /lib/udev/rules.d/70-acl.rules:

# USB scanners
ENV{libsane_matched}=="yes", ENV{ACL_MANAGE}="1"

<snip>

# apply ACL for all locally logged in users
LABEL="acl_apply", ENV{ACL_MANAGE}=="?*", TEST=="/var/run/ConsoleKit/database", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

In the end, the result is that an ACL is created for the device, which allows locally logged in users to use it (read/write permission). eg for my scanner:

~# lsusb
Bus 001 Device 005: ID 04b8:011c Seiko Epson Corp. Perfection 3200
~# ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 2009-12-28 00:11 /dev/bus/usb/001/005
~# getfacl /dev/bus/usb/001/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/005
# owner: root
# group: root
user::rw-
user:crox:rw-
group::rw-
mask::rw-
other::r--
~#

However, I also wanted to allow access to the scanner from other workstations through saned. In older Ubuntu versions, you could just add saned (or whatever user the service runs as) to the scanner group. This no longer works since the device belongs to root:root, and ACLs are added for specific users. The solution that works for me is to create a file /etc/udev/rules.d/99-sane-group.rules with the following contents:

# change group to scanner for sane devices
ENV{libsane_matched}=="yes", GROUP="scanner"

Then you just need to run

sudo udevadm trigger

and the group of the device magically changes to scanner.

Of course you could also add a similar rule specifically for a certain device instead, in my case this would work too:

ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0002", GROUP="scanner"

To check that it worked, run the following:

sudo su -s /bin/bash -c 'scanimage -L' saned