nixos/sane: ensure saned can access usb scanners #367198
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For a user to be able to scan with an USB scanner, it must have write access to the corresponding file in /dev/bus/usb. Enabling the sane module adds SANE's upstream hwdb file and udev rules to udev search path. The hwdb file tags the scanner as `libsane_matched` and a builtin (from systemd upstream) udev rule marks all `libsane_matched` devices as uaccess. When a physical user logins, logind adds an acl allowing them to write to the device. Unfortunately, saned is a daemon. Therefore, uaccess has no effect for it, and if no other udev rule changes the device to belong to the scanner group or the lp group, (there are such rules, but they are not complete enough, in that some scanners known by SANE rules are not known by these rules), it will not be able to write to the scanner. This solves this by adding a udev rule so that all libsane_matched devices have an acl rules so that users in the scanner group can write. A similar rule is present on Arch and Debian at least. Note that we don't chgroup the file instead, because this posed problems in the past: scanners are often also printers, and a device's group cannot be simultaneously lp and scanner. Fixes: NixOS#361981
github-actions
bot
added
6.topic: nixos
github-actions
bot
added
10.rebuild-darwin: 0
kpine
approved these changes
Dec 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For a user to be able to scan with an USB scanner, it must have write access to the corresponding file in /dev/bus/usb. Enabling the sane module adds SANE's upstream hwdb file and udev rules to udev search path. The hwdb file tags the scanner as
libsane_matchedand a builtin (from systemd upstream) udev rule marks alllibsane_matcheddevices as uaccess. When a physical user logins, logind adds an acl allowing them to write to the device.Unfortunately, saned is a daemon. Therefore, uaccess has no effect for it, and if no other udev rule changes the device to belong to the scanner group or the lp group, (there are such rules, but they are not complete enough, in that some scanners known by SANE rules are not known by these rules), it will not be able to write to the scanner.
This solves this by adding a udev rule so that all libsane_matched devices have an acl rules so that users in the scanner group can write.
A similar rule is present on Arch and Debian at least.
Note that we don't chgroup the file instead, because this posed problems in the past: scanners are often also printers, and a device's group cannot be simultaneously lp and scanner.
Fixes: #361981