saned does not have permission to access the scanner

Bug #229343 reported by Paul Worrall on 2008-05-11
76
This bug affects 13 people
Affects Status Importance Assigned to Milestone
sane-backends (Ubuntu)
Medium
Unassigned
Hardy
High
Unassigned

Bug Description

Starting with Hardy, my scanner device is no longer owned by the group "scanner", instead (AIUI) the PolicyKit / ConsoleKit /HAL scheme uses ACLs to allow the user with the active session access to the scanner. However this scheme does not permit the SANE Network Demon "saned" to access the scanner and hence other machines on the network can no longer access the scanner.

Paul Worrall (nicknak) wrote :

saned is started by inetd with user name "saned" so, hacking the file "/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi" I created the attached file in "/etc/hal/fdi/policy/20-acl-management.fdi" which ensures that user "saned" always has access to the scanner. This seems to resolve the problem.

Paul Worrall (nicknak) wrote :

I needed to make a small change to the file so that acls get reconfigured at start up, otherwise saned doesn't get access to the scanner until someone logs in to the PC the scanner's connected to (thus invoking hal-acl-tool --reconfigure).

Paul Worrall (nicknak) wrote :

I subsequently tried removing the above HAL policy file and using:

polkit-auth --user saned --grant org.freedesktop.hal.device-access.scanner

instead, but this did not work.

Matt LaPaglia (mlapaglia) wrote :

I have to manually set permissions to the scanner device to be able to allow remote users to use the scanner.

sudo chown root:saned /dev/bus/usb/001/002 && sudo chmod g+rw /dev/bus/usb/001/002

you need to replace the 001/002 with your own devices address, you can find this by issues

scanimage -L

and pulling the numbers from that. Any ideas on how to make this automatic? a terminal solution would be nice because i'm running server edition with no GUI.

Thanks!

jhansonxi (jhansonxi) wrote :

Might be another duplicate of bug #180794

same thing happening on my boxes here, also running Hardy. Another solution, though somewhat less secure (but OK for me since the scanner's only accessible to my LAN) is to just tell xinetd to run saned as root. On my box then, /etc/xinetd.d/saned reads:

service saned
{
socket_type = stream
server = /usr/sbin/saned
protocol = tcp
user = root
group = root
wait = no
disable = no
only_from = 10.1.1.2
}

This solved the issue for me, if a little bit of a brute force way to do it.

Jorge E. Gómez (jorgeegomez) wrote :

jhansonxi: It is not a duplicate. bug #180794 denies access to the current user; This bug denies access to user 'saned'. The fixed released for that bug does not fix this one.

I can confirm Paul Worrall's changes to the file /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi fixes the problem.

Martin Pitt (pitti) wrote :

Indeed polkit-auth won't work, since the saned daemon is not tied to a ConsoleKit session (which the auto-ACL magic relies on). Your hal FDI solution sounds like the most appropriate approach, thanks for this.

Changed in sane-backends:
assignee: nobody → pitti
status: New → In Progress
status: In Progress → Triaged
Jerome Charaoui (jcharaoui) wrote :

I can confirm this solution works. Without this fix, sharing a scanner over network with saned simply does not work, and this problem is not easy to debug. No HowTo I could find had any reference to this issue.

I finally tracked down this bug report after a few hours of fiddling around. I hope the fix will be included very soon in the packages.

Distro-jumper (boblounsbury) wrote :

THANK YOU!!

I'd been looking for solutions and trying different configuration settings for hours, kept thinking I was doing something wrong in the configuration.

Changing the permissions on the scanner fixed it! Oddly enough I installed Debian 5.0 on this machine a few weeks ago and it setup the printer and scanner perfectly. Strange that Ubuntu 8.04 has this issue.

I've since upgraded our boxes here to Jaunty, and this issue has again reared its head. The solution for me was to follow the HowTo at https://help.ubuntu.com/community/ScanningHowTo , and then change the RUN_AS_USER line in /etc/default/saned such that saned runs as "root". Doesn't jive well with Ubuntu's normal security model, but it works.

That said, it's been a year since this bug was opened. If I can work around it (if somewhat insecurely) on my end with a one-word change to a single configuration file, why has it not been fixed properly? Why does this issue still persist a year later?

Sandro Mani (sandromani) wrote :

Just wanted to point out that the workaround

sudo chown root:saned /dev/bus/usb/001/002 && sudo chmod g+rw /dev/bus/usb/001/002

is potentially dangerous for multifunction devices as it will make scanning work, but will brake printing, as the node needs to have gid=lp.

Distro-jumper (boblounsbury) wrote :

Just wanted to point out that using the workaround

sudo chown root:saned /dev/bus/usb/001/002 && sudo chmod g+rw /dev/bus/usb/001/002

did not break printing for me on Ubuntu 8.04 with my multifunction HP Deskjet F4280 like Sandro Mani is stating. Though I have noticed that after certain updates the printer gets 'chowned' back to the defaults, and I have to go back in and update it with the workaround again and again. Also, my scanner has never actually worked it acts like it is going to, but then xsane freezes.

Personally, like Vanessa Ezekowitz, I don't understand why in over a year this problem has not been fixed. Ubuntu 8.04 Server is supposed to be supported for 5 years. So, I'm supposed to use 8.04 for the next 4 years on my server and have to continue to deal with this problem? I say NO, I'm switching to a different server os!!

Sandro Mani (sandromani) wrote :

Uhm could that have something to do with the fact that I share both printer and scanner via network? I simply noticed that as soon as lp did not have any permissions anymore, all printing tasks would not complete anymore (the workarround of Vanessa Ezekowitz works well anyway). As for the bug itself, I'd say judging the fact that the ubuntu development team is not really big and that there are bugs that require much more attention than this one (for which workarounds do not exist), we cannot really expect them to be able to focus on each existing bug. But we users can help if we track down the problem to a specific package or distribution and then report the bug directly to the upstream dev team. There are other operating systems with ugly bugs as well, but where your hands are tied because there exists no open documentation, and all you can do is contact some "support professional" that will give you links to useless "knowledge base" articles, while no one of the development team actually cares, as long as you throw away your money for their products...

Distro-jumper (boblounsbury) wrote :

I'm not sure what the 'why' is, but I share my printer and scanner via a network as well.

Unfortunately, the workaround shown by Vanessa Ezekowitz is not available for 8.04, which is the LTS version supported for 5 years and what I would have liked to continue to use. A printer and scanner are something I need to have working reliably, I cannot be messing with permissions every few months when an update occurs that messes them up.

This 'bug', as I stated a couple of posts ago, is not present in Debian, too bad it crept into Ubuntu because it is running very well otherwise. I wholeheartedly understand that the Ubuntu development team is very busy, and I guess this just leads to another issue I have with Ubuntu. Having to output a new release every six months means they have much less time to fix real issues like this, and may demonstrate a flaw in Ubuntu trying to be all things to all people. I could also realize that it may take the development team a few months or half a year to fix the bug, but we are now talking about 1 yr and 1 month, and there is still no sign that it will be fixed. So, when will it happen? When the next LTS is released?

What the Ubuntu development team may consider a small bug has become a show stopper for me, and is forcing me to use a different server operating system.

Distro-jumper (boblounsbury) wrote :

I realize this not the place to discuss this and I hope no one thinks it is too rude, but I just wanted to let anyone know that may be interested that because of this bug I installed Debian 5.0 and everything is working perfectly ... printer & scanner. No more scanner freezes and editing permissions. It just works.

Sandro Mani (sandromani) wrote :

Chances that it might be fixed in karmic too with the latest debian imports, we'll see.. Great to know anyway.

A1an (alan-b) wrote :

Creating the policy file didn't work for me, however Vanessa's solution posted on 2008-09-05 (running saned as root) did solve the problem. I'm also using xinetd to start saned.

Regards

---

Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy

Changed in sane-backends (Ubuntu Hardy):
status: New → Triaged
importance: Undecided → High
TechnoSwiss (misterb) wrote :

I ran into a fix for this by accident while I was looking at a permissions problem with hp-levels.

Add saned to the group lp, that should fix the problem.

I'm pretty sure that I had already done that. Anyway, like I said in my
previous posts I've already switced to Debian where everything is working
perfectly. So I'm not switching back to Ubuntu at this point. Allowing a bug
in the distribution to remain unfixed for well over a year that disables
your scanner is not acceptable policy for me.

On Fri, Sep 4, 2009 at 1:55 AM, TechnoSwiss <email address hidden>wrote:

> I ran into a fix for this by accident while I was looking at a
> permissions problem with hp-levels.
>
> Add saned to the group lp, that should fix the problem.
>
> --
> saned cannot access the scanner in Hardy
> https://bugs.launchpad.net/bugs/229343
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “sane-backends” package in Ubuntu: Triaged
> Status in sane-backends in Ubuntu Hardy: Triaged
>
> Bug description:
> Starting with Hardy, my scanner device is no longer owned by the group
> "scanner", instead (AIUI) the PolicyKit / ConsoleKit /HAL scheme uses ACLs
> to allow the user with the active session access to the scanner. However
> this scheme does not permit the SANE Network Demon "saned" to access the
> scanner and hence other machines on the network can no longer access the
> scanner.
>

I had a similar issue, but did not resort to running saned as root. Instead, I did:
$ sane-find-scanner
...
found USB scanner (vendor=0x03f0 [HP], product=0x2a12 [Officejet J4500 series]) at libusb:005:002
...

Then I checked the permissions of the libusb:005:002 device:
$ getfacl /dev/bus/usb/005/002
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/005/002
# owner: lp
# group: lp
user::rw-
group::rw-
other::r--

It was clear that saned needed to be in the 'lp' group. So I did:
$ sudo adduser saned lp

and it worked.

On Fri, Sep 11, 2009 at 4:04 PM, Jamie Strandboge <email address hidden> wrote:

> I had a similar issue, but did not resort to running saned as root.
> Instead, I did:
> $ sane-find-scanner
> ...
> found USB scanner (vendor=0x03f0 [HP], product=0x2a12 [Officejet J4500
> series]) at libusb:005:002
> ...
>
> Then I checked the permissions of the libusb:005:002 device:
> $ getfacl /dev/bus/usb/005/002
> getfacl: Removing leading '/' from absolute path names
> # file: dev/bus/usb/005/002
> # owner: lp
> # group: lp
> user::rw-
> group::rw-
> other::r--
>
> It was clear that saned needed to be in the 'lp' group. So I did:
> $ sudo adduser saned lp
>
> and it worked.
>

I don't think people are paying attention to the problem that others (like
me) have had which was temporarily solved by (post #4):

"I have to manually set permissions to the scanner device to be able to
allow remote users to use the scanner.

sudo chown root:saned /dev/bus/usb/001/002 && sudo chmod g+rw
/dev/bus/usb/001/002"

The problem was NOT that saned was not part of the lp group, but that saned
nor lp nor any other person had access to the device other than "root". The
permissions were originally root:root and needed to be changed to
root:saned. To make it worse, sane updates would reset the permissions to
the usb device making the scanner inaccessible again.

Martin Pitt (pitti) on 2009-10-11
Changed in sane-backends (Ubuntu Hardy):
status: Triaged → Won't Fix
Changed in sane-backends (Ubuntu):
importance: Undecided → Medium
assignee: Martin Pitt (pitti) → nobody

This 'bug' is a direct result from https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/188552 sane does not have udev rules in place to give the device proper permissions when plugged in, resulting in the root:root ownership. If you put in a proper udev rule this problem goes away.

I have just experienced this bug in Xubuntu 11.10.

I used getfacl and found out that the scanner was assigned to root:lp. So adding saned to the lp group fixed the problem.

How can I flag this bug for Xubuntu devs?

Argh, spoke too soon. After adding saned to lp group, I was able to select the scanner in simple-scan, but it didn't actually work.

Unable to get open device: Error during device I/O

Andrew (andrewkvalheim) on 2012-11-16
summary: - saned cannot access the scanner in Hardy
+ saned does not have permission to access the scanner
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers