[Bug 236956] Re: sane devices should not be managed by consolekit

Brian Candler 236956 at bugs.launchpad.net
Mon Oct 15 20:26:02 UTC 2012 

Appears to be no longer an issue in ubuntu 12.04

If I ssh to my box and try to access scanner from the shell (e.g.
scanimage -L) the device is not accessible; but once I add myself to
group 'scanner' and logout and back in again, it works fine.

There is clearly the correct ACL here.

$ ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 Oct 15 21:23 /dev/bus/usb/001/005

getfacl shows the user who is logged on at the console (which happens to
be a different user), *and* group scanner.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to consolekit in Ubuntu.
https://bugs.launchpad.net/bugs/236956

Title:
  sane devices should not be managed by consolekit

Status in “consolekit” package in Ubuntu:
  Invalid
Status in “sane-backends” package in Ubuntu:
  Confirmed

Bug description:
  In hardy, USB scanners are managed differently than in previous
  releases of Ubuntu.

  Before hardy, there was a udev rules assigning to the "scanner" group
  all the usb devices that appeared to be scanners under comparison to
  the /etc/udev/rules.d/45-libsane.rules.

  Now, that file is no more, and the access to the usb scanners is
  controlled by HAL+Consolekit.

  The result is that only the user who is sitting at the console has
  permission to use the scanner, since the usb devices now get owned by
  root, with a special ACL allowing access to the console user.

  This is a very very wrong thing to do.

  The beauty of sane is that it can work over the network.  But with
  "hardy" it cannot anymore: there is no possibility to set up a scanner
  server.

  Saned is supposed to be run via xinetd as the saned user. But with the current setup, the saned user cannot access the scanner, since only the current console user and root can. It is not possible to tell xinetd that saned should be run as "the current console user". And in fact there might be no current console user at all.
  Nor it is possible to tell xinetd that saned should be run as root, because this is just too bad from a security point of view.

  What makes the matter worse is that putting the 45-libsane.rules from
  gutsy back in place does not help.

  So, with the current consolekit thing, sane is not sane anymore, and
  can only be run from the console (a la Twain) and not as a server.

  Please, rethink about console kit and scanners.  Consolekit is a very
  desktop-centric thing, assuming that most pluggable peripherals should
  be owned by the person at the console. But this is generally not true
  of anything that can be shared on the network. Things that can be
  shared should be independent from the console user. Please go back to
  treating scanners with a dedicated system user or group owning them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/consolekit/+bug/236956/+subscriptions

More information about the foundations-bugs mailing list