sane devices should not be managed by consolekit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
consolekit (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
sane-backends (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In hardy, USB scanners are managed differently than in previous releases of Ubuntu.
Before hardy, there was a udev rules assigning to the "scanner" group all the usb devices that appeared to be scanners under comparison to the /etc/udev/
Now, that file is no more, and the access to the usb scanners is controlled by HAL+Consolekit.
The result is that only the user who is sitting at the console has permission to use the scanner, since the usb devices now get owned by root, with a special ACL allowing access to the console user.
This is a very very wrong thing to do.
The beauty of sane is that it can work over the network. But with "hardy" it cannot anymore: there is no possibility to set up a scanner server.
Saned is supposed to be run via xinetd as the saned user. But with the current setup, the saned user cannot access the scanner, since only the current console user and root can. It is not possible to tell xinetd that saned should be run as "the current console user". And in fact there might be no current console user at all.
Nor it is possible to tell xinetd that saned should be run as root, because this is just too bad from a security point of view.
What makes the matter worse is that putting the 45-libsane.rules from gutsy back in place does not help.
So, with the current consolekit thing, sane is not sane anymore, and can only be run from the console (a la Twain) and not as a server.
Please, rethink about console kit and scanners. Consolekit is a very desktop-centric thing, assuming that most pluggable peripherals should be owned by the person at the console. But this is generally not true of anything that can be shared on the network. Things that can be shared should be independent from the console user. Please go back to treating scanners with a dedicated system user or group owning them.
BTW, also note that if I have a machine with a scanner attached to it and 10 users that might seat at the console, there is a chance that I do not want to give all 10 the privilege to use the scanner. So, it is just nice to have a scanner group, where I can put the users allowed to use the scanner.