Ubuntu
sane-backends package

sane devices should not be managed by consolekit

Bug #236956 reported by Sergio Callegari
46
This bug affects 13 people
Affects Status Importance Assigned to Milestone
consolekit (Ubuntu)
Invalid
Undecided
Unassigned
sane-backends (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

In hardy, USB scanners are managed differently than in previous releases of Ubuntu.

Before hardy, there was a udev rules assigning to the "scanner" group all the usb devices that appeared to be scanners under comparison to the /etc/udev/rules.d/45-libsane.rules.

Now, that file is no more, and the access to the usb scanners is controlled by HAL+Consolekit.

The result is that only the user who is sitting at the console has permission to use the scanner, since the usb devices now get owned by root, with a special ACL allowing access to the console user.

This is a very very wrong thing to do.

The beauty of sane is that it can work over the network. But with "hardy" it cannot anymore: there is no possibility to set up a scanner server.

Saned is supposed to be run via xinetd as the saned user. But with the current setup, the saned user cannot access the scanner, since only the current console user and root can. It is not possible to tell xinetd that saned should be run as "the current console user". And in fact there might be no current console user at all.
Nor it is possible to tell xinetd that saned should be run as root, because this is just too bad from a security point of view.

What makes the matter worse is that putting the 45-libsane.rules from gutsy back in place does not help.

So, with the current consolekit thing, sane is not sane anymore, and can only be run from the console (a la Twain) and not as a server.

Please, rethink about console kit and scanners. Consolekit is a very desktop-centric thing, assuming that most pluggable peripherals should be owned by the person at the console. But this is generally not true of anything that can be shared on the network. Things that can be shared should be independent from the console user. Please go back to treating scanners with a dedicated system user or group owning them.

Revision history for this message
Sergio Callegari (callegar) wrote :

BTW, also note that if I have a machine with a scanner attached to it and 10 users that might seat at the console, there is a chance that I do not want to give all 10 the privilege to use the scanner. So, it is just nice to have a scanner group, where I can put the users allowed to use the scanner.

Revision history for this message
Sergio Callegari (callegar) wrote :

Please consider this bug to be (almost) fixed.

Following the instructions that I received on the hal mailing list, I have used polkit-gnome-authorisation to change the system behaviour, so that the ownership of the USB scanners is not anymore given to the current console user, but to user "saned"

So this is not really a bug, since the behaviour can be configured.

However, please notice:

1) The default behaviour with regards to scanners is wrong. The default for scanners should be to have as users not just the current console user, but also user "saned", so that a scanner server can be set up.

2) Kubuntu should install polkit-gnome-authorisation by default (even better this should be made a desktop-system independent program to be installed by default in any flavour of ubuntu).

3) Policy kit should allow to define group authorisations and not just user authorisations.

Revision history for this message
Aleksandar Radovic (monte081) wrote :

Please do not consider this bug to be fixed. It is affecting server edition, and polkit-gnome-authorization is not a convenient configuration option on that platform.

Revision history for this message
James Westby (james-w) wrote :

Hi,

To me it seems like this bug would be fixed if the policy for the scanner was
changed to allow saned to access it explicitly, so that both console users and
the sane service can use the device, is this correct?

Thanks,

James

Revision history for this message
Martin Pitt (pitti) wrote :

Indeed this could be fixed by reintroducing the udev rules, so that the devices are accessible by *either* being on a local console, *or* being in the 'scanner' group (as in gutsy and earlier).

Changed in consolekit:
status: New → Invalid
Changed in sane-backends:
status: New → Confirmed
Revision history for this message
Jeff Kowalczyk (jfkw) wrote :

Could someone please describe and document the command-line version of the explicit grant needed so that 'scanimage|scanadf' works always for that user, even for an ssh into the machine or cron script?

Are the Ubuntu 8.04.1 /etc/udev/rules.d/45-libsane.rules a simple file-copy to install under 8.10?

If policykit is to be part of Ubuntu, then I presume the commands:

polkit-action
polkit-auth
polkit-config-file-validate
polkit-policy-file-validate

will be available on the server version as well.

Attached is a screenshot of what the users sees for granting on a default Ubuntu 8.04.1 to 8.10 upgraded desktop.

It appears that a grant must be made for each user, as groups are not available in the list for granting.

Perhaps polkit is an advantageous infrastructure decision, but it is a bit troubling that no documentation about the change in behavior is readily found in Google or Ubuntu Wiki searches. This is something that should be explicitly described to avoid surprising the user.

Revision history for this message
Chris Mohler (cr33dog) wrote :

I tried to work-around thusly:

sudo polkit-auth --user saned --grant org.freedesktop.hal.device-access.scanner

But no joy. The machine is headless and gnomeless, and I'd like to keep it that way. Any ideas?

Revision history for this message
Brian Candler (b-candler) wrote :

Appears to be no longer an issue in ubuntu 12.04

If I ssh to my box and try to access scanner from the shell (e.g. scanimage -L) the device is not accessible; but once I add myself to group 'scanner' and logout and back in again, it works fine.

There is clearly the correct ACL here.

$ ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 Oct 15 21:23 /dev/bus/usb/001/005

getfacl shows the user who is logged on at the console (which happens to be a different user), *and* group scanner.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Brian, are you sure? I've ssh'd into a precise box today and cannot access the attached scanner as an ordinary user. Scanning being broken for so many years and differently in every release is really frustrating!

Revision history for this message
Night Train (nighttrain) wrote :

i have also a problem with scanner after precise pangolin 12.04

i have informed here:
https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/1080787/comments/10
https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/1080787/comments/11

is it the same problem?

is it possible to correct this?

thank you very much

Revision history for this message
David Ward (dpward) wrote :

https://jff.email/cgit/sane-backends.git/tree/debian/libsane1.README.Debian (under "SETUP")

Changed in sane-backends (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.