saned and root question

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

saned and root question

ToddAndMargo
Hi All,

Okay, now this is "scary".

Both xsane and Simple Scan work locally.

I can not get saned to work, UNLESS, I edit /etc/group
and add the following to root

root:x:0:saned

Without it, I get

$ xsane net:localhost:epkowa:interpreter:001:007
Access to resource has been denied

Now what am I doing wrong?  Must saned have root privileges?
CUPS doesn't need it.

Many thanks,
-T
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: saned and root question

ToddAndMargo
On 03/09/2018 07:16 PM, ToddAndMargo wrote:

> Hi All,
>
> Okay, now this is "scary".
>
> Both xsane and Simple Scan work locally.
>
> I can not get saned to work, UNLESS, I edit /etc/group
> and add the following to root
>
> root:x:0:saned
>
> Without it, I get
>
> $ xsane net:localhost:epkowa:interpreter:001:007
> Access to resource has been denied
>
> Now what am I doing wrong?  Must saned have root privileges?
> CUPS doesn't need it.
>
> Many thanks,
> -T

ooops, sorry:

Fedora 27, x64
Xfce 4.12

$ rpm -qa \*sane\*
kf5-libksane-17.12.1-1.fc27.x86_64
xsane-common-0.999-23.fc27.x86_64
sane-backends-libs-1.0.27-12.fc27.i686
sane-backends-drivers-cameras-1.0.27-12.fc27.x86_64
sane-backends-1.0.27-12.fc27.x86_64
xsane-0.999-23.fc27.x86_64
sane-backends-drivers-scanners-1.0.27-12.fc27.x86_64
sane-backends-drivers-cameras-1.0.27-12.fc27.i686
sane-backends-drivers-scanners-1.0.27-12.fc27.i686
sane-backends-daemon-1.0.27-12.fc27.x86_64
sane-backends-libs-1.0.27-12.fc27.x86_64
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: saned and root question

ToddAndMargo
On 03/09/2018 07:19 PM, ToddAndMargo wrote:

> On 03/09/2018 07:16 PM, ToddAndMargo wrote:
>> Hi All,
>>
>> Okay, now this is "scary".
>>
>> Both xsane and Simple Scan work locally.
>>
>> I can not get saned to work, UNLESS, I edit /etc/group
>> and add the following to root
>>
>> root:x:0:saned
>>
>> Without it, I get
>>
>> $ xsane net:localhost:epkowa:interpreter:001:007
>> Access to resource has been denied
>>
>> Now what am I doing wrong?  Must saned have root privileges?
>> CUPS doesn't need it.
>>
>> Many thanks,
>> -T
>
> ooops, sorry:
>
> Fedora 27, x64
> Xfce 4.12
>
> $ rpm -qa \*sane\*
> kf5-libksane-17.12.1-1.fc27.x86_64
> xsane-common-0.999-23.fc27.x86_64
> sane-backends-libs-1.0.27-12.fc27.i686
> sane-backends-drivers-cameras-1.0.27-12.fc27.x86_64
> sane-backends-1.0.27-12.fc27.x86_64
> xsane-0.999-23.fc27.x86_64
> sane-backends-drivers-scanners-1.0.27-12.fc27.x86_64
> sane-backends-drivers-cameras-1.0.27-12.fc27.i686
> sane-backends-drivers-scanners-1.0.27-12.fc27.i686
> sane-backends-daemon-1.0.27-12.fc27.x86_64


I just caught this:

$ ps -eo pid,user,group,args --sort user | grep cups
  5005 root     root     /usr/sbin/cupsd -l

CUPS "is" running as root.  So is it okay to add
saned to root's group?



_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: saned and root question

Stephen Morris
On 10/3/18 4:00 pm, ToddAndMargo wrote:

> On 03/09/2018 07:19 PM, ToddAndMargo wrote:
>> On 03/09/2018 07:16 PM, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> Okay, now this is "scary".
>>>
>>> Both xsane and Simple Scan work locally.
>>>
>>> I can not get saned to work, UNLESS, I edit /etc/group
>>> and add the following to root
>>>
>>> root:x:0:saned
>>>
>>> Without it, I get
>>>
>>> $ xsane net:localhost:epkowa:interpreter:001:007
>>> Access to resource has been denied
>>>
>>> Now what am I doing wrong?  Must saned have root privileges?
>>> CUPS doesn't need it.
>>>
>>> Many thanks,
>>> -T
>>
>> ooops, sorry:
>>
>> Fedora 27, x64
>> Xfce 4.12
>>
>> $ rpm -qa \*sane\*
>> kf5-libksane-17.12.1-1.fc27.x86_64
>> xsane-common-0.999-23.fc27.x86_64
>> sane-backends-libs-1.0.27-12.fc27.i686
>> sane-backends-drivers-cameras-1.0.27-12.fc27.x86_64
>> sane-backends-1.0.27-12.fc27.x86_64
>> xsane-0.999-23.fc27.x86_64
>> sane-backends-drivers-scanners-1.0.27-12.fc27.x86_64
>> sane-backends-drivers-cameras-1.0.27-12.fc27.i686
>> sane-backends-drivers-scanners-1.0.27-12.fc27.i686
>> sane-backends-daemon-1.0.27-12.fc27.x86_64
>
>
> I just caught this:
>
> $ ps -eo pid,user,group,args --sort user | grep cups
>  5005 root     root     /usr/sbin/cupsd -l
>
> CUPS "is" running as root.  So is it okay to add
> saned to root's group?
>
I have a network scanner that I have installed an Epson driver for,
which until I did, Xsane would not work with the scanner. I also thought
Xsane used sane as its backend. How are you trying to use saned?

In my /etc/group I have an entry for saned, but like your original
entry, I don't have anything connected to group root.


regards,

Steve


>
>
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: saned and root question

ToddAndMargo
On 03/09/2018 09:33 PM, Stephen Morris wrote:

> I have a network scanner that I have installed an Epson driver for,
> which until I did, Xsane would not work with the scanner. I also thought
> Xsane used sane as its backend. How are you trying to use saned?
>
> In my /etc/group I have an entry for saned, but like your original
> entry, I don't have anything connected to group root.
>
>
> regards,
>
> Steve

Hi Steve,

I am using an Epson V300 scanner too.  I also
installed the RPM from Epson.

sane has a font end and a back end.  I can use xscan
and simple scan on the local machine directly without
issue.  Both are using the front end.

The back end is how you use sane over the network.
It requires a saned.socket and a saned@.service,
as well as special configurations in /etc/sane.d
(saned.conf, net.conf).  And a bunch of other stuff
as well.

I am trying to get PDF Studio to use sane's back end.
PDF Studio only uses the back end:  port 6566 TCP.

Since xsane can be asked to use the back end as well,
I can test this using `xsane net:localhost`.  Without
the entry in question in /etc/group, I get "permission denied"
and PDF Studio says "no sane devices configured".

If `xsane net:localhost` to work, PDF Studios also works.

I am writing up a Fedora 27 how to on all this.  I have been
at it since November.  The documentation out there is
terrible.  Most How To's leave YUGE chunks off, leaving
you doing a lot of guessing.

This security issue is the last item before I tie it up
and send it to sane for possible publication in their
How To's.  Maybe Fedora has a place for that too, I don't
know of one.

Giving someone access to root like this gives me the
creeps.  But, then again, CUPS runs as root, so ...

-T



_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

[solved] Re: saned and root question

ToddAndMargo
In reply to this post by ToddAndMargo
On 03/09/2018 07:16 PM, ToddAndMargo wrote:

> Hi All,
>
> Okay, now this is "scary".
>
> Both xsane and Simple Scan work locally.
>
> I can not get saned to work, UNLESS, I edit /etc/group
> and add the following to root
>
> root:x:0:saned
>
> Without it, I get
>
> $ xsane net:localhost:epkowa:interpreter:001:007
> Access to resource has been denied
>
> Now what am I doing wrong?  Must saned have root privileges?
> CUPS doesn't need it.
>
> Many thanks,
> -T

Followup:

To correct this, add

# /usr/lib/udev/rules.d/70-saned.rules
ACTION=="add", ENV{libsane_matched}=="yes", GROUP="saned", MODE="0660"

to

/usr/lib/udev/rules.d/65-sane-backends.rules

I just opened
https://bugzilla.redhat.com/show_bug.cgi?id=1554032

to fix this.


I have been troubleshooting this since November
<Editorial comment> AAAAAAHHHHHHHHHHHHHHHHHHHHH!!!!! </editorial comment>

-T

A fun command:

# rpm -qf /usr/lib/udev/rules.d/65-sane-backends.rules
sane-backends-1.0.27-12.fc27.x86_64

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [solved] Re: saned and root question

ToddAndMargo
On 03/10/2018 01:04 PM, ToddAndMargo wrote:

> On 03/09/2018 07:16 PM, ToddAndMargo wrote:
>> Hi All,
>>
>> Okay, now this is "scary".
>>
>> Both xsane and Simple Scan work locally.
>>
>> I can not get saned to work, UNLESS, I edit /etc/group
>> and add the following to root
>>
>> root:x:0:saned
>>
>> Without it, I get
>>
>> $ xsane net:localhost:epkowa:interpreter:001:007
>> Access to resource has been denied
>>
>> Now what am I doing wrong?  Must saned have root privileges?
>> CUPS doesn't need it.
>>
>> Many thanks,
>> -T
>
> Followup:
>
> To correct this, add
>
> # /usr/lib/udev/rules.d/70-saned.rules
> ACTION=="add", ENV{libsane_matched}=="yes", GROUP="saned", MODE="0660"
>
> to
>
> /usr/lib/udev/rules.d/65-sane-backends.rules
>
> I just opened
> https://bugzilla.redhat.com/show_bug.cgi?id=1554032
>
> to fix this.
>
>
> I have been troubleshooting this since November
> <Editorial comment> AAAAAAHHHHHHHHHHHHHHHHHHHHH!!!!! </editorial comment>
>
> -T
>
> A fun command:
>
> # rpm -qf /usr/lib/udev/rules.d/65-sane-backends.rules
> sane-backends-1.0.27-12.fc27.x86_64
>


Note: you have to reboot to get this to take:

$ scanimage -L
device `epkowa:interpreter:001:003' is a Epson Perfection V300 flatbed
scanner
device `net:localhost:epkowa:interpreter:001:003' is a Epson Perfection
V300 flatbed scanner

$ xsane net:localhost
worked

Unplugging and replugging the scanner:
$ scanimage -L
device `epkowa:interpreter:001:008' is a Epson Perfection V300 flatbed
scanner
device `net:localhost:epkowa:interpreter:001:008' is a Epson Perfection
V300 flatbed scanner

$ xsane net:localhost
worked


--
~~~~~~~~~~~~~~~~~~~~~~~~
Yesterday it worked.
Today it is not working.
Windows is like that.
~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [solved] Re: saned and root question

Stephen Morris
On 11/3/18 8:31 am, ToddAndMargo wrote:

> On 03/10/2018 01:04 PM, ToddAndMargo wrote:
>> On 03/09/2018 07:16 PM, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> Okay, now this is "scary".
>>>
>>> Both xsane and Simple Scan work locally.
>>>
>>> I can not get saned to work, UNLESS, I edit /etc/group
>>> and add the following to root
>>>
>>> root:x:0:saned
>>>
>>> Without it, I get
>>>
>>> $ xsane net:localhost:epkowa:interpreter:001:007
>>> Access to resource has been denied
>>>
>>> Now what am I doing wrong?  Must saned have root privileges?
>>> CUPS doesn't need it.
>>>
>>> Many thanks,
>>> -T
>>
>> Followup:
>>
>> To correct this, add
>>
>> # /usr/lib/udev/rules.d/70-saned.rules
>> ACTION=="add", ENV{libsane_matched}=="yes", GROUP="saned", MODE="0660"
>>
>> to
>>
>> /usr/lib/udev/rules.d/65-sane-backends.rules
>>
>> I just opened
>> https://bugzilla.redhat.com/show_bug.cgi?id=1554032
>>
>> to fix this.
>>
>>
>> I have been troubleshooting this since November
>> <Editorial comment> AAAAAAHHHHHHHHHHHHHHHHHHHHH!!!!! </editorial
>> comment>
>>
>> -T
>>
>> A fun command:
>>
>> # rpm -qf /usr/lib/udev/rules.d/65-sane-backends.rules
>> sane-backends-1.0.27-12.fc27.x86_64
>>
>
>
> Note: you have to reboot to get this to take:
>
> $ scanimage -L
> device `epkowa:interpreter:001:003' is a Epson Perfection V300 flatbed
> scanner
> device `net:localhost:epkowa:interpreter:001:003' is a Epson
> Perfection V300 flatbed scanner
>
> $ xsane net:localhost
> worked
>
> Unplugging and replugging the scanner:
> $ scanimage -L
> device `epkowa:interpreter:001:008' is a Epson Perfection V300 flatbed
> scanner
> device `net:localhost:epkowa:interpreter:001:008' is a Epson
> Perfection V300 flatbed scanner
>
> $ xsane net:localhost
> worked
>
In my situation I have not put any entries in /usr/lib/udev/rules.d to
get the scanner on the multi-function device working over the network (I
have an Epson Expression ET 3700 continuous flow ink device).

My first step in getting the scanner working was to look at
/etc/sane.d/epson.conf and /etc/sane.d/epsonds.conf
(/etc/sane.d/epson2.conf seems to be for usb connected devices). These 2
conf files have 'net autodiscovery' already specified, but that was not
enough to detect the scanner and neither was adding 'net <ip-address>'
(the ip address of the device as set on the device).

Having already downloaded the printer driver for cups I went to the same
site and downloaded Epson's Imagescan package and installed it. That
package installs 2 conf files /etc/imagescan/combo.conf and
/etc/imagescan/imagescan.conf and a scanning tool called Imagescan. This
installation was still not enough to get the scanner working with
Imagescan. To get it working I had to uncomment the 3 device statements
(I think they were commented), change to model entry to my device name
and change the ip address to the address I set my device to.

Having done these changes Imagescan was able to find the device and
after a reboot (I didn't try Xsane until several days later) so did
Xsane. To test Xsane I don't have to unplug the device from the ethernet
connection to the router, just turning the power on and off on the
device is enough to test Xsane's ability to see the device.


Scanimage -L gives me the following output:


scanimage -L
device `imagescan:esci:networkscan://192.168.1.20:1865' is a Epson ET-3700


xsane (without any parameters)

worked


xsane (with the device powered off)

'No devices found'


xsane (with the device powered back on)

worked


My setup is a bit different to yours, from your output it looks like you
have the scanner connected to your computer via usb and you are trying
to share that over the network, whereas in my case my device is actually
network connected and I am trying to get the multiple computers and
Android devices talking to it.


regards,

Steve

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [solved] Re: saned and root question

Stephen Morris
On 11/3/18 10:15 am, Stephen Morris wrote:

> On 11/3/18 8:31 am, ToddAndMargo wrote:
>> On 03/10/2018 01:04 PM, ToddAndMargo wrote:
>>> On 03/09/2018 07:16 PM, ToddAndMargo wrote:
>>>> Hi All,
>>>>
>>>> Okay, now this is "scary".
>>>>
>>>> Both xsane and Simple Scan work locally.
>>>>
>>>> I can not get saned to work, UNLESS, I edit /etc/group
>>>> and add the following to root
>>>>
>>>> root:x:0:saned
>>>>
>>>> Without it, I get
>>>>
>>>> $ xsane net:localhost:epkowa:interpreter:001:007
>>>> Access to resource has been denied
>>>>
>>>> Now what am I doing wrong?  Must saned have root privileges?
>>>> CUPS doesn't need it.
>>>>
>>>> Many thanks,
>>>> -T
>>>
>>> Followup:
>>>
>>> To correct this, add
>>>
>>> # /usr/lib/udev/rules.d/70-saned.rules
>>> ACTION=="add", ENV{libsane_matched}=="yes", GROUP="saned", MODE="0660"
>>>
>>> to
>>>
>>> /usr/lib/udev/rules.d/65-sane-backends.rules
>>>
>>> I just opened
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1554032
>>>
>>> to fix this.
>>>
>>>
>>> I have been troubleshooting this since November
>>> <Editorial comment> AAAAAAHHHHHHHHHHHHHHHHHHHHH!!!!! </editorial
>>> comment>
>>>
>>> -T
>>>
>>> A fun command:
>>>
>>> # rpm -qf /usr/lib/udev/rules.d/65-sane-backends.rules
>>> sane-backends-1.0.27-12.fc27.x86_64
>>>
>>
>>
>> Note: you have to reboot to get this to take:
>>
>> $ scanimage -L
>> device `epkowa:interpreter:001:003' is a Epson Perfection V300
>> flatbed scanner
>> device `net:localhost:epkowa:interpreter:001:003' is a Epson
>> Perfection V300 flatbed scanner
>>
>> $ xsane net:localhost
>> worked
>>
>> Unplugging and replugging the scanner:
>> $ scanimage -L
>> device `epkowa:interpreter:001:008' is a Epson Perfection V300
>> flatbed scanner
>> device `net:localhost:epkowa:interpreter:001:008' is a Epson
>> Perfection V300 flatbed scanner
>>
>> $ xsane net:localhost
>> worked
>>
> In my situation I have not put any entries in /usr/lib/udev/rules.d to
> get the scanner on the multi-function device working over the network
> (I have an Epson Expression ET 3700 continuous flow ink device).
>
> My first step in getting the scanner working was to look at
> /etc/sane.d/epson.conf and /etc/sane.d/epsonds.conf
> (/etc/sane.d/epson2.conf seems to be for usb connected devices). These
> 2 conf files have 'net autodiscovery' already specified, but that was
> not enough to detect the scanner and neither was adding 'net
> <ip-address>' (the ip address of the device as set on the device).
>
> Having already downloaded the printer driver for cups I went to the
> same site and downloaded Epson's Imagescan package and installed it.
> That package installs 2 conf files /etc/imagescan/combo.conf and
> /etc/imagescan/imagescan.conf and a scanning tool called Imagescan.
> This installation was still not enough to get the scanner working with
> Imagescan. To get it working I had to uncomment the 3 device
> statements (I think they were commented), change to model entry to my
> device name and change the ip address to the address I set my device to.
>
> Having done these changes Imagescan was able to find the device and
> after a reboot (I didn't try Xsane until several days later) so did
> Xsane. To test Xsane I don't have to unplug the device from the
> ethernet connection to the router, just turning the power on and off
> on the device is enough to test Xsane's ability to see the device.
>
>
> Scanimage -L gives me the following output:
>
>
> scanimage -L
> device `imagescan:esci:networkscan://192.168.1.20:1865' is a Epson
> ET-3700
>
>
> xsane (without any parameters)
>
> worked
>
>
> xsane (with the device powered off)
>
> 'No devices found'
>
>
> xsane (with the device powered back on)
>
> worked
>
>
> My setup is a bit different to yours, from your output it looks like
> you have the scanner connected to your computer via usb and you are
> trying to share that over the network, whereas in my case my device is
> actually network connected and I am trying to get the multiple
> computers and Android devices talking to it.
>
>
> regards,
>
> Steve

With Xsane working the issue I need to resolve now is how to get Xsane
to provide the different resolutions the scanner is capable of.
Imagescan provides the resolution selection capability, but the
documentation of Xsane says the Sane backend must provide the resolution
specifications, but there isn't a definition in the Sane backends for
this device, other than entry in /etc/sane.d/dll.d to register imagescan.


regards,

Steve


>
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]