pam_console help needed: HPLIP permissions

David Zeuthen david at fubar.dk
Thu Aug 30 16:09:58 UTC 2007 

On Thu, 2007-08-30 at 16:39 +0100, Tim Waugh wrote:
> Hi,
> 
> I think I need some help understanding how to make HPLIP devices get the
> right permissions now that pam_console will be going away.
> 
> The device nodes are (e.g.) /dev/bus/usb/001/001, and they are used for
> two things:

I'm answering these questions in reverse order

> 2. Scanning.  Console users need read/write access to the device node so
> that the 'hpaio' SANE backend provided by HPLIP can use them.

Just generate a fdi file like sane-backends does with the patch that I
got upstream

http://lists.alioth.debian.org/pipermail/sane-devel/2007-March/018763.html

the fdi file will need to reference all the USB id's that the HPLIP SANE
user space drivers can drive. It'll will look like this

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<deviceinfo version=\"0.2\">
  <device>
    <match key="info.bus" string="usb">
      <match key="usb.vendor_id" int="<vendor_id>">
        <match key="usb.product_id" int="<product_id>">
          <append key="info.capabilities" type="strlist">scanner</append>
          <merge key="scanner.access_method" type="string">proprietary</merge>
        </match>
      </match>
      <!-- other models follow here -->
    </match>
  </device>
</deviceinfo>

Btw, I'm not sure our sane-backends package use my patch I referenced
above; it probably should in favor of the udev rules / pam_console.

> 1. Printing.  The 'hp' CUPS backend provided by HPLIP needs read/write
> access.  It runs as user 'lp', group 'lp'.

For this I'd advise to just use the udev rule you already got; it's not
interesting in terms of ACL's as they will never vary (since CUPS does
it's own access control) and we just need them since the hp CUPS backend
is architected in a way so it needs special permissions [1].

Just send me private mail if you have any questions. Thanks.

      David

[1] : which I suppose is unnecessary as cups already run as root and
they could then just drop permissions in the backend process itself
after having opened the device node

More information about the devel mailing list