Hi,
I think I need some help understanding how to make HPLIP devices get the right permissions now that pam_console will be going away.
The device nodes are (e.g.) /dev/bus/usb/001/001, and they are used for two things:
1. Printing. The 'hp' CUPS backend provided by HPLIP needs read/write access. It runs as user 'lp', group 'lp'.
2. Scanning. Console users need read/write access to the device node so that the 'hpaio' SANE backend provided by HPLIP can use them.
Currently I have a udev rule, provided by the hplip package, to set the group ownership to 'lp' and give group read/write permissions. Then, I have made pam_console give 'the console user' ownership and read/write permissions, keeping group read/write permissions.
The way I think I want it to work is for ConsoleKit to add console users to the ACL for the device node. But how do I do that, and how does that interact with udev?
Thanks, Tim. */
On Thu, 2007-08-30 at 16:39 +0100, Tim Waugh wrote:
Hi,
I think I need some help understanding how to make HPLIP devices get the right permissions now that pam_console will be going away.
The device nodes are (e.g.) /dev/bus/usb/001/001, and they are used for two things:
I'm answering these questions in reverse order
- Scanning. Console users need read/write access to the device node so
that the 'hpaio' SANE backend provided by HPLIP can use them.
Just generate a fdi file like sane-backends does with the patch that I got upstream
http://lists.alioth.debian.org/pipermail/sane-devel/2007-March/018763.html
the fdi file will need to reference all the USB id's that the HPLIP SANE user space drivers can drive. It'll will look like this
<?xml version=\"1.0\" encoding=\"UTF-8\"?> <deviceinfo version="0.2"> <device> <match key="info.bus" string="usb"> <match key="usb.vendor_id" int="<vendor_id>"> <match key="usb.product_id" int="<product_id>"> <append key="info.capabilities" type="strlist">scanner</append> <merge key="scanner.access_method" type="string">proprietary</merge> </match> </match> <!-- other models follow here --> </match> </device> </deviceinfo>
Btw, I'm not sure our sane-backends package use my patch I referenced above; it probably should in favor of the udev rules / pam_console.
- Printing. The 'hp' CUPS backend provided by HPLIP needs read/write
access. It runs as user 'lp', group 'lp'.
For this I'd advise to just use the udev rule you already got; it's not interesting in terms of ACL's as they will never vary (since CUPS does it's own access control) and we just need them since the hp CUPS backend is architected in a way so it needs special permissions [1].
Just send me private mail if you have any questions. Thanks.
David
[1] : which I suppose is unnecessary as cups already run as root and they could then just drop permissions in the backend process itself after having opened the device node
On Thu, 2007-08-30 at 12:09 -0400, David Zeuthen wrote:
Just generate a fdi file like sane-backends does with the patch that I got upstream
http://lists.alioth.debian.org/pipermail/sane-devel/2007-March/018763.html
I can't get this to work. I tried this file, to test:
<?xml version="1.0" encoding="UTF-8"?> <deviceinfo version="0.2"> <device> <match key="info.bus" string="usb"> <match key="usb.vendor_id" int="0x03f0"> <match key="usb.product_id" int="0x3304"> <append key="info.capabilities" type="strlist">scanner</append> <merge key="scanner.access_method" type="string">proprietary</merge> </match> </match> <!-- other models follow here --> </match> </device> </deviceinfo>
as 10-hplip-scanner.fdi, but when I connect the device lshal shows me this:
udi = '/org/freedesktop/Hal/devices/usb_device_ffffffff_ffffffff_noserial' info.bus = 'usb' (string) info.linux.driver = 'usblp' (string) info.parent = '/org/freedesktop/Hal/devices/usb_device_3f0_3304_US05XXX00XLG' (string) info.product = 'USB Interface' (string) info.subsystem = 'usb' (string) info.udi = '/org/freedesktop/Hal/devices/usb_device_ffffffff_ffffffff_noserial' (string) linux.hotplug_type = 2 (0x2) (int) linux.subsystem = 'usb' (string) linux.sysfs_path = '/sys/devices/pci0000:00/0000:00:07.2/usb1/1-2/1-2.1/1-2.1:1.0' (string) usb.bus_number = 1 (0x1) (int) usb.can_wake_up = false (bool) usb.configuration_value = 1 (0x1) (int) usb.device_class = 0 (0x0) (int) usb.device_protocol = 0 (0x0) (int) usb.device_revision_bcd = 256 (0x100) (int) usb.device_subclass = 0 (0x0) (int) usb.is_self_powered = true (bool) usb.linux.device_number = 22 (0x16) (int) usb.linux.sysfs_path = '/sys/devices/pci0000:00/0000:00:07.2/usb1/1-2/1-2.1/1-2.1:1.0' (string) usb.max_power = 2 (0x2) (int) usb.num_configurations = 1 (0x1) (int) usb.num_interfaces = 1 (0x1) (int) usb.num_ports = 0 (0x0) (int) usb.product = 'USB Interface' (string) usb.product_id = 13060 (0x3304) (int) usb.serial = 'US05XXX00XLG' (string) usb.speed = 12.0 (12) (double) usb.speed_bcd = 4608 (0x1200) (int) usb.vendor = 'Hewlett-Packard' (string) usb.vendor_id = 1008 (0x3f0) (int) usb.version = 1.1 (1.1) (double) usb.version_bcd = 272 (0x110) (int)
It's the only device in the lshal output that has usb.product_id == 0x3304. 'lshal|grep scanner' gives no output.
For this I'd advise to just use the udev rule you already got; it's not interesting in terms of ACL's as they will never vary (since CUPS does it's own access control) and we just need them since the hp CUPS backend is architected in a way so it needs special permissions [1]. [...] [1] : which I suppose is unnecessary as cups already run as root and they could then just drop permissions in the backend process itself after having opened the device node
It is much better to get the permissions set correctly on the USB device node from an SELinux policy point of view.
Tim. */