[sane-devel] sane - access problem with debian squeeze

Johannes Meixner jsmeix at suse.de
Fri Apr 8 09:02:05 UTC 2011


On Apr 7 21:08 postbote2009-debian at yahoo.com wrote (excerpt):
> Julien BLACHE wrote (excerpt):
>> postbote2009-debian at yahoo.com wrote (excerpt):
>>> device `pixma:04A91725' is a CANON Canon PIXMA  MP610 multi-function
>>> peripheral
>> Seeing how your device is an MFP, it's  probably root:lp instead of
>> root:scanner due to a change in udev itself  between Lenny and Squeeze.
>> In Lenny the scanner group would prevail, in  Squeeze it's the lp group
>> that prevails. In Lenny the issue was with printing  to MFPs, in Squeeze
>> it's with scanning.
>> Two ways to work around  this:
>>  - add your user to the lp group
>>  - use ConsoleKit and any user  physically logged into the machine
>>    (running the X session) will have  access to the scanner
> Thank you very much - after adding  the user to lp everything worked fine.
> I?m just curious - if you?ve got the time and it isn?t too difficult to explain
> - why has the user to be in the group "lp" if in 60-libsane.rules "scanner" is
> mentioned?

For openSUSE we do not have a group "scanner" and
I change the udev rules in libsane.rules as follows:

All GROUP="scanner" are replaced by GROUP="lp".

There is no group "scanner" in /etc/group for openSUSE.
For all-in-one devices (i.e. printer + scanner, e.g. "EPSON Stylus" devices)
the group must be "lp" so that the CUPS usb backend which runs
as user "lp" (who is member of the group "lp") can send printing data
to the printer unit (i.e. the printer interface of the USB device).
It is sufficiently secure and reasonable easy to use by default
the same group "lp" for printers and scanners because both kind of devices
usually require physical user access (to get the printed paper or
to place a paper on the scanner) so that both kind of devices
should usually require the same kind of security.

Because one same device file cannot be in two traditional groups
(i.e. when no advanced stuff like ACLs is used) and because
multi function devices are more and more common nowadays,
the "printing via lp group" versus "scanning via scanner group"
conflict will happen more and more often.

The solution could be one single traditional group by default.

Therefore I suggest to think about if SANE may move away from its
special group "scanner" and use the traditional group "lp" instead.

This would of course not mean that a special group "scanner"
is forbidden or that advanced stuff like ACLs can be used.

All I like to suggest is a default which avoids a common conflict
so that printing and scanning with multi function devices
could work out of the box even in a traditional environment.

A drawback when using the group "lp" by default for scanners is
that there is a possible security issue when all normal users
would be by default added to the group "lp" because users
in the "lp" group can read the print spool data files
/var/spool/cups/d* so that those users can read possibly
confidential print job data.

Therefore in openSUSE we do not add normal users by default
to the "lp" group so that by default normal users cannot access
scanners in a traditional environment.

In openSUSE we use by default udev and its ACLs so that a user
who logs in directly at the machine gets sufficient permissions
to access scanners.

But using the "lp" group also for scanners in openSUSE avoids
the conflict which traditional group a multi function device
should get assigned.

And the admin in a traditional environment can add trusted users
to the "lp" group if needed in his particular case - considering
what is secure in his particular (network) environment.

Kind Regards
Johannes Meixner
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex

More information about the sane-devel mailing list