Patch: add ACL for parallel printer and scanner

Patch: add ACL for parallel printer and scanner

[Frederic Crozat]

[-- Attachment #1: Type: text/plain, Size: 274 bytes --]

Hi all,

we are getting a lot of bug reports from users with parallel scanners
which are not able to using xsane when not running as root.

I suggest to apply attached patch to add ACL to parallel port to fix
this issue.

-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

[-- Attachment #2: Type: text/x-patch, Size: 1110 bytes --]

From 72a672a407a099b0981dbb13365b4e4bd6001e5c Mon Sep 17 00:00:00 2001
From: Frederic Crozat <fcrozat@mandriva.com>
Date: Wed, 7 Oct 2009 10:26:00 +0200
Subject: [PATCH] add ACL for parallel printer and scanner

---
 extras/udev-acl/70-acl.rules |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/extras/udev-acl/70-acl.rules b/extras/udev-acl/70-acl.rules
index 8259a7a..ae31c68 100644
--- a/extras/udev-acl/70-acl.rules
+++ b/extras/udev-acl/70-acl.rules
@@ -11,6 +11,13 @@ SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", ENV{ACL_MANAGE}="1"
 # digicams with proprietary protocol
 ENV{ID_GPHOTO2}=="*?", ENV{ACL_MANAGE}="1"
 
+# parallel printer and scanner
+KERNEL=="parport[0-9]*",  ENV{ACL_MANAGE}="1"
+SUBSYSTEM=="printer", KERNEL=="lp*", ENV{ACL_MANAGE}="1"
+SUBSYSTEM=="ppdev", ENV{ACL_MANAGE}="1"
+KERNEL=="lp[0-9]*", ENV{ACL_MANAGE}="1"
+KERNEL=="irlpt[0-9]*", ENV{ACL_MANAGE}="1"
+
 # SCSI scanners
 KERNEL=="sg[0-9]*", ATTRS{type}=="6", ENV{ACL_MANAGE}="1"
 KERNEL=="sg[0-9]*", ATTRS{type}=="3", ATTRS{vendor}=="HP|EPSON|Epson", ENV{ACL_MANAGE}="1"
-- 
1.6.4.4

Re: Patch: add ACL for parallel printer and scanner

[Kay Sievers]

On Wed, Oct 7, 2009 at 10:38, Frederic Crozat <fcrozat@mandriva.com> wrote:
> we are getting a lot of bug reports from users with parallel scanners
> which are not able to using xsane when not running as root.
>
> I suggest to apply attached patch to add ACL to parallel port to fix
> this issue.

This grants access to any device connected, to the parallel port, and
is not limited to printers or scanners, right?
  KERNEL="parport[0-9]*",  ENV{ACL_MANAGE}="1"

Not sure if that is what we want that by default?

Kay

Re: Patch: add ACL for parallel printer and scanner

[Frederic Crozat]

Le mercredi 07 octobre 2009 à 13:13 +0200, Kay Sievers a écrit :
> On Wed, Oct 7, 2009 at 10:38, Frederic Crozat <fcrozat@mandriva.com> wrote:
> > we are getting a lot of bug reports from users with parallel scanners
> > which are not able to using xsane when not running as root.
> >
> > I suggest to apply attached patch to add ACL to parallel port to fix
> > this issue.
> 
> This grants access to any device connected, to the parallel port, and
> is not limited to printers or scanners, right?
>   KERNEL="parport[0-9]*",  ENV{ACL_MANAGE}="1"

Yes, since there is no possible autodetection on it.
> 
> Not sure if that is what we want that by default?

Well, we need to set ACL on parallel port for scanners (not sure it is
really needed for printers).

-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: Patch: add ACL for parallel printer and scanner

[Martin Pitt]

Frederic Crozat [2009-10-07 18:31 +0200]:
> > This grants access to any device connected, to the parallel port, and
> > is not limited to printers or scanners, right?
> >   KERNEL="parport[0-9]*",  ENV{ACL_MANAGE}="1"
> 
> Yes, since there is no possible autodetection on it.

Parallel printers also use those devices, though (even though cups
usually talks through the lp module to them, through /dev/lpN). So far
we didn't give users access to printer devices, mostly because
cups should be the only thing which talks to them, to (1) avoid access
conflicts, and (2) avoid tampering printers and other users' print
jobs.

> Well, we need to set ACL on parallel port for scanners (not sure it is
> really needed for printers).

I'd really like to avoid it for printers, see above.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Re: Patch: add ACL for parallel printer and scanner

[Frederic Crozat]

Le mercredi 07 octobre 2009 à 18:59 +0200, Martin Pitt a écrit :
> Frederic Crozat [2009-10-07 18:31 +0200]:
> > > This grants access to any device connected, to the parallel port, and
> > > is not limited to printers or scanners, right?
> > >   KERNEL="parport[0-9]*",  ENV{ACL_MANAGE}="1"
> > 
> > Yes, since there is no possible autodetection on it.
> 
> Parallel printers also use those devices, though (even though cups
> usually talks through the lp module to them, through /dev/lpN). So far
> we didn't give users access to printer devices, mostly because
> cups should be the only thing which talks to them, to (1) avoid access
> conflicts, and (2) avoid tampering printers and other users' print
> jobs.
> 
> > Well, we need to set ACL on parallel port for scanners (not sure it is
> > really needed for printers).
> 
> I'd really like to avoid it for printers, see above.

As far as I know, there is no way to detect the device plugged on a
parallel port, so I don't see how we could allow only access for scanner
and not for printer (unless we move the ACL to sane package but it isn't
a real protection).

-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: Patch: add ACL for parallel printer and scanner

[Karl O. Pinc]

On 10/07/2009 12:40:25 PM, Frederic Crozat wrote:
> Le mercredi 07 octobre 2009 à 18:59 +0200, Martin Pitt a écrit :
> > Frederic Crozat [2009-10-07 18:31 +0200]:
> > > > This grants access to any device connected, to the parallel
> port, and
> > > > is not limited to printers or scanners, right?
> > > >   KERNEL="parport[0-9]*",  ENV{ACL_MANAGE}="1"
> > > 
> > > Yes, since there is no possible autodetection on it.

> > I'd really like to avoid it for printers, see above.
> 
> As far as I know, there is no way to detect the device plugged on a
> parallel port, so I don't see how we could allow only access for
> scanner
> and not for printer (unless we move the ACL to sane package but it
> isn't
> a real protection).

I have a stupid idea, firmly grounded in ignorance
and grown in the hothouse of klugery.  Take it
for what it's worth.

If you wrote a kernel driver/module
that does nothing but read a config file and create a
"dummy" device node (for detection by KERNEL=foo) based on 
the parallel scanner connectivity information in a config 
file then udev could set device permissions that are appropriate
for the scanner while leaving printer parallel ports alone.
The config file would specify which parallel port is plugged
into the scanner, default to parport0, and be installed
along with the kernel module only when the sane 
"parallel-scanner" application package is installed.

I know nothing about parallel scanners but perhaps
there is some way that the "driver" could probe the parallel
ports to autodetect -- printers do not normally respond
to commands and send a lot of data to the CPU over the
parallel port.

This would reduce the end-user's problem to installing
a package supporting parallel scanners.

Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein