Diary and notebook of whatever tech problems are irritating me at the moment.

20101003

Scanner Access Enabler

There is a problem with scanner device permissions on Ubuntu. Regular users (UID>999) can access libsane applications like Xsane and Simple Scan without problems. Linux Scanner Server, which is running in Apache as www-data, can't access them without a chmod o+rw on each scanner device. Nobody seems to know how the permissions work so this has to be fixed manually in a terminal. This is not n00b friendly so I created a GUI application that automatically changes the permissions of every scanner device.
The application relies on scanimage and sane-find-scanner utilities to identify scanner device ports then simply does a chmod against all of them. It supports USB, SCSI, and optionally parallel port (-p parameter) scanners and has been tested against the same ones I used for my LSS patch. It uses the same universal dialog code as webcam-server-dialog so it should work with almost any desktop environment.
To install first download the archive and extract the contents. Move the script to "/usr/local/bin/scanner-access-enabler" and set it for root:root ownership with rwxr-xr-x (0755) permissions. Copy the destop menu entry to the /usr/local/share/applications directory with root:root ownership and rw-r--r-- (0644) permissions. You may have to edit the desktop file as it uses gksudo by default. On KDE you may want to change the Exec entry to use kdesudo instead. If you specify the -p option on the Exec line you may have to quote everything after gk/kdesudo. If you don't have one of the GUI dialoger utilities installed and plan on using dialog or whiptail then you need to set "Terminal=true" else you won't see anything.
On Ubuntu the menu item will be found under System > Administration. If you want users to be able to activate scanners without a password and admin group membership, you can add an exception to the end of "/etc/sudoers" file. Simply run "sudo visudo" and enter the following:
# Allow any user to fix SCSI scanner port device permissions
ALL ALL=NOPASSWD: /usr/local/bin/scanner-access-enabler *
While you can use any editor as root to change the file, visudo checks for syntax errors before saving as a mistake can disable sudo and prevent you from fixing it easily. If you mess it up, you can reboot and use Ubuntu recovery mode or a LiveCD to fix it.
Update: I released v1.1 which adds filtering for "net:" devices from saned connections. This didn't affect the permission changes but made for a crowded dialog with both the raw and net devices shown.
Update: v1.2 adds a non-interactive/silent mode activated through a "-s" parameter.
Update 20120708: v1.3 cleaned up the code a bit but broke detection completely as I recently noticed.  I updated it to v1.4 which actually works now. :D

7 comments:

oiaohm said...

Really there was already 1 formal solution to this problem. Run saned.

http://www.sane-project.org/man/saned.8.html Then saned only has to be given permissions to the devices once.

scanimage support connect to saned for scanning.

With modern times really a dbus version of saned should be made. Granting multi people access to raw devices is really asking for trouble.

This permission solution is the wrong solution.

jhansonxi said...

I haven't been able to get saned working correctly on Lucid.

Access for regular users is already correctly granted without my app but the mechanism that does so is not documented and I haven't been able to find any reference to it except that the scanner group was removed. Giving access to the www-data user would solve the problem for me but I can't figure out how through group memberships, policy kit, or the UDEV rules.

Giving raw access to scanner devices to everyone isn't much of a risk. There's not a whole lot they can or will do with them as my clients only use sane-based applications. If they managed to cause problems via the raw device I would be happy because it would indicate a far greater level of technical skill and understanding then they have demonstrated so far.

I don't care if dbus implementation is the best solution for scanner access through Apache. That may be tomorrow's solution but scanner-access-enabler is the one that works today. If someone comes up with a better one then I'll be happy to that instead.

I'll play with saned some more and see if I can get it working.

jhansonxi said...

I got saned working. It was a minor network configuration problem but another network error message from saned in daemon.log made me think it was something else. It may indicate a bug of some sort but saned access between the test server and my workstation functions. The Mustek on the parallel port was not available remotely (a minor issue).

While Xsane on the workstation could access the SCSI and USB scanners, the problem still exists for www-data. When I connected to LSS, it could only find the Mustek, probably because it is hard-set in the mustek_pp.conf file. When I used SAE to change the device permission both LSS and Xsane on the server detected all of the scanners twice - both the raw devices and the net devices through saned.

In short - saned doesn't solve the problem on Lucid. Maybe Ubuntu 10.10 (Maverick Meercat) will work better.

oiaohm said...

O boy from what you are describing saned system wide permissions are stuffed as well.

Ie the detection twice when you run you script. Says the user saned was running at could not access the scanners either.

www-data can be prevented from accessing saned by LSM as well. Ubuntu case apparmor.

Basically by the sound if it Ubuntu needs a major set saned up correctly script.

I was not thinking for one second that saned was setup incorrectly.

Mike said...

I just noticed something unexpected:

My scanner would operate locally.

It would operate remotely, one-shot with saned from cmdline on the server.

With inetd, no dice, no remote.

So i began checking device permissions,
and setup udev rules for the scanner.

Still no remote.

Then noticed all USB devices are under "root:vboxusers" with group rw!

My udev rules were at 45, the vbox rules at 10, so mine never were enforced?

All i had to do is add "saned" to the "vboxusers" group and it works remotely via inetd!

I still don't know why it worked locally.

Hmmm.

Tineo-kun said...

I would like install in a ubuntu server, but doesn't work..

please help

jhansonxi said...

@Tineo-kun:
The script needs execute permission and /etc/sudoers needs to be configured properly. Do you have scanimage installed? Does it report an error?

About Me

Omnifarious Implementer = I do just about everything. With my usual occupations this means anything an electrical engineer does not feel like doing including PCB design, electronic troubleshooting and repair, part sourcing, inventory control, enclosure machining, label design, PC support, network administration, plant maintenance, janitorial, etc. Non-occupational includes residential plumbing, heating, electrical, farming, automotive and small engine repair. There is plenty more but you get the idea.