[wellylug] Scanner permissions

Jethro Carr jethro.carr at jethrocarr.com
Mon Sep 15 21:00:42 NZST 2008 

On Mon, 2008-09-15 at 20:40 +1200, Jethro Carr wrote:
> On Mon, 2008-09-15 at 20:20 +1200, Alastair Porter wrote:
> > Note that using setuid is potentially a security risk - if there is a
> > vulnerability in `scanimage`, it would effectively be run as root.
> 
> yup, this is a good point to mention.
> 
> > You should be able to give www-data access to the scanner device.  You
> > can do this either by giving the device a special group and adding the
> > user to this group, or set o+rw on the device.
> > Since you're using ubuntu, you should be able to create a udev rule to
> > set most of this up when you plug the scanner in.  I would start by
> > plugging it in and running `dmesg` and inspecting the output to see if
> > you can work out what device the scanner is allocated.  Let us know if
> > you can work out what the device is, and also what the output of ls -l
> > on that device is.
> 
> As far as I'm aware, USB scanners do not create a device node - they are
> like ethernet cards in that respect.
> 
> However, reading online it does appear you can configure udev to set the
> permissions for the scanners.
> 
> 
> Looking in the files for my CentOS 4 system:
> 
> /etc/udev/permissions.d/50-udev.permissions
> ---
> # scanner devices
> scanner:root:root:0600
> usb/scanner*:root:root:0600
> ---
> 
> I suspect that changing this should sort your problem out. :-)

ok, I can confirm that this udev configuration fixes the permissions.

I fixed mine by creating /etc/udev/permissions.d/10-customperms and
creating a scan group.

echo >> /etc/udev/permissions.d/10-customperms << "EOF"
scanner:root:scan:0660
usb/scanner*:root:scan:0660
EOF

groupadd scan
usermod -aG scan apache


For newer udev users (eg: ubuntu 8.04) you will need to look
in /etc/udev/rules.d/ to find your scanner rule line and make the
suitable changes.


Alastair: thanks for pointing out that scanners can be configured via
udev. :-)

I think I'll update the documentation for openpsfc with new udev
configuration information.


-- 
Jethro Carr
www.jethrocarr.com/index.php?cms=blog
www.amberdms.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20080915/42e66bbc/attachment.pgp

More information about the wellylug mailing list