Skip to content

Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)

In Ubuntu Karmic (and possibly Jaunty ?), when you install libsane, it adds a file /lib/udev/rules.d/40-libsane.rules which contains rules that match on supported scanners and set the environment variable "libsane_matched" to "yes".

This in turn triggers the following in /lib/udev/rules.d/70-acl.rules:
# USB scanners
ENV{libsane_matched}=="yes", ENV{ACL_MANAGE}="1"
<snip>
# apply ACL for all locally logged in users
LABEL="acl_apply", ENV{ACL_MANAGE}=="?*", TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

In the end, the result is that an ACL is created for the device, which allows locally logged in users to use it (read/write permission). eg for my scanner:
~# lsusb
Bus 001 Device 005: ID 04b8:011c Seiko Epson Corp. Perfection 3200
~# ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 2009-12-28 00:11 /dev/bus/usb/001/005
~# getfacl /dev/bus/usb/001/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/005
# owner: root
# group: root
user::rw-
user:crox:rw-
group::rw-
mask::rw-
other::r--
~#

However, I also wanted to allow access to the scanner from other workstations through saned. In older Ubuntu versions, you could just add saned (or whatever user the service runs as) to the scanner group. This no longer works since the device belongs to root:root, and ACLs are added for specific users. The solution that works for me is to create a file /etc/udev/rules.d/99-sane-group.rules with the following contents:
# change group to scanner for sane devices
ENV{libsane_matched}=="yes", GROUP="scanner"

Then you just need to run
sudo udevadm trigger
and the group of the device magically changes to scanner.

Of course you could also add a similar rule specifically for a certain device instead, in my case this would work too:
ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0002", GROUP="scanner"


To check that it worked, run the following:
sudo su -s /bin/bash -c 'scanimage -L' saned



  • Twitter
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at del.icio.us
  • Facebook
  • Google Bookmarks
  • FriendFeed
  • Digg Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
  • Mixx Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
  • Bloglines Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
  • Technorati Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
  • Fark this: Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl)
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at YahooMyWeb
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at Furl.net
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at reddit.com
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at blinklist.com
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at Spurl.net
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at NewsVine
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at Simpy.com
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) at blogmarks
  • Bookmark Scanner permissions in Ubuntu Karmic (udev libusb saned problem with udev-acl) with wists
  • wong it!
  • Bookmark using any bookmark manager!
  • Stumble It!
  • Print this article!
  • E-mail this story to a friend!
  • Identi.ca

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Marcus Hember on :

This is by far the best description / explanation of the Ubuntu 10.04 scanner permissions issue I have discovered, thank you!

Please could you include it on the ubutu wikis?

Nowhere else is there a hint of explaining of the chain of udev events, (or for that matter what the ENV{libsane_matched}="yes"
means in the libsane.rules file under /etc/udev/rules.d.

Thanks very much!!

Thomas on :

I can only agree to Marcus. Not only did this description solve my problem, it also taught me a lot.

Please add it to the SANE/Scanner entries on the ubuntu wiki pages. They are somewhat out of date and somewhat lost:
http://wiki.ubuntuusers.de/Baustelle/Verlassen/SANE_Scanserver_im_Netzwerk

tony on :

At last a fix, but not quite as you described it.

Using 10.04 server, it worked when I replaced "saned" for the GROUP= instead of "scanner"

Dave Hughes on :

Ran across this issue today on my Ubunutu 12.04 Precise server, but with a couple of differences. The node was owned by root:root:

crw-rw-r--+ 1 root root 189, 130 Aug 28 10:57 /dev/bus/usb/002/003

But the result of getfacl was:

# file: dev/bus/usb/002/003
# owner: root
# group: root
user::rw-
group::rw-
group:scanner:rw-
mask::rw-
other::r--

So somewhere along the line the udev-acl rules are adding rw access for the scanner group (though I couldn't find exactly what rule caused this). So in this case simply adding "saned" to the "scanner" group enabled networking scanning to work. Not sure why "saned" isn't a member of "scanner" by default though...

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options