Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
In Ubuntu Karmic (and possibly Jaunty ?), when you install libsane, it adds a file /lib/udev/rules.d/40-libsane.rules which contains rules that match on supported scanners and set the environment variable "libsane_matched" to "yes".
This in turn triggers the following in /lib/udev/rules.d/70-acl.rules:
In the end, the result is that an ACL is created for the device, which allows locally logged in users to use it (read/write permission). eg for my scanner:
However, I also wanted to allow access to the scanner from other workstations through saned. In older Ubuntu versions, you could just add saned (or whatever user the service runs as) to the scanner group. This no longer works since the device belongs to root:root, and ACLs are added for specific users. The solution that works for me is to create a file /etc/udev/rules.d/99-sane-group.rules with the following contents:
Then you just need to run
Of course you could also add a similar rule specifically for a certain device instead, in my case this would work too:
To check that it worked, run the following:
This in turn triggers the following in /lib/udev/rules.d/70-acl.rules:
# USB scanners
ENV{libsane_matched}=="yes", ENV{ACL_MANAGE}="1"
<snip>
# apply ACL for all locally logged in users
LABEL="acl_apply", ENV{ACL_MANAGE}=="?*", TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
In the end, the result is that an ACL is created for the device, which allows locally logged in users to use it (read/write permission). eg for my scanner:
~# lsusb
Bus 001 Device 005: ID 04b8:011c Seiko Epson Corp. Perfection 3200
~# ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 2009-12-28 00:11 /dev/bus/usb/001/005
~# getfacl /dev/bus/usb/001/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/005
# owner: root
# group: root
user::rw-
user:crox:rw-
group::rw-
mask::rw-
other::r--
~#
However, I also wanted to allow access to the scanner from other workstations through saned. In older Ubuntu versions, you could just add saned (or whatever user the service runs as) to the scanner group. This no longer works since the device belongs to root:root, and ACLs are added for specific users. The solution that works for me is to create a file /etc/udev/rules.d/99-sane-group.rules with the following contents:
# change group to scanner for sane devices
ENV{libsane_matched}=="yes", GROUP="scanner"
Then you just need to run
sudo udevadm triggerand the group of the device magically changes to scanner.
Of course you could also add a similar rule specifically for a certain device instead, in my case this would work too:
ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0002", GROUP="scanner"
To check that it worked, run the following:
sudo su -s /bin/bash -c 'scanimage -L' saned
Trackbacks
The author does not allow comments to this entry
Comments
Display comments as Linear | Threaded
Marcus Hember on :
Please could you include it on the ubutu wikis?
Nowhere else is there a hint of explaining of the chain of udev events, (or for that matter what the ENV{libsane_matched}="yes"
means in the libsane.rules file under /etc/udev/rules.d.
Thanks very much!!
Thomas on :
Please add it to the SANE/Scanner entries on the ubuntu wiki pages. They are somewhat out of date and somewhat lost:
http://wiki.ubuntuusers.de/Baustelle/Verlassen/SANE_Scanserver_im_Netzwerk
tony on :
Using 10.04 server, it worked when I replaced "saned" for the GROUP= instead of "scanner"
Dave Hughes on :
crw-rw-r--+ 1 root root 189, 130 Aug 28 10:57 /dev/bus/usb/002/003
But the result of getfacl was:
# file: dev/bus/usb/002/003
# owner: root
# group: root
user::rw-
group::rw-
group:scanner:rw-
mask::rw-
other::r--
So somewhere along the line the udev-acl rules are adding rw access for the scanner group (though I couldn't find exactly what rule caused this). So in this case simply adding "saned" to the "scanner" group enabled networking scanning to work. Not sure why "saned" isn't a member of "scanner" by default though...