[Bug 462639] New: udev rules for setting access permissions for scsi scanners missing
https://bugzilla.novell.com/show_bug.cgi?id=462639 Summary: udev rules for setting access permissions for scsi scanners missing Product: openSUSE 11.1 Version: Final Platform: i586 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Hotplug AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: dieter.jurzitza@t-online.de QAContact: qa@suse.de Found By: --- When installing a scsi-scanner in openSUSE 11.1, a regular user cannot access it. The corresponding udev-rule as existed in openSUSE 10.3 (for example) is not present in openSUSE 11.1: 50-udev-default.rules: # misc storage devices (non-block) KERNEL=="sg*", GROUP="disk", MODE="0640" basically this is the very same bug as exists for cdrom-recording because the similar permission problem pops up, the device is only usable for root but not for regular users. Thank you for looking into this, take care Dieter Jurzitza -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c1
--- Comment #1 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User weigelt.bernd@web.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c2
Bernd Weigelt
https://bugzilla.novell.com/show_bug.cgi?id=462639
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c3
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c4
Kay Sievers
When installing a scsi-scanner in openSUSE 11.1, a regular user cannot access it. The corresponding udev-rule as existed in openSUSE 10.3 (for example) is not present in openSUSE 11.1:
50-udev-default.rules: # misc storage devices (non-block) KERNEL=="sg*", GROUP="disk", MODE="0640"
Scsi-generic devices of type "scanner" and "processor" intentionally do no get the group "disk" assigned, because they are not related to "storage". Anyway, no normal user should ever be in the "disk" group, it would allow the untrusted user to do things like format any disk on the system. (In reply to comment #3 from Marcus Meissner)
As for this problem, I am not sure our current HAL/udev setup can detect scanners reliably and make them available.
There is support in HAL for many USB scanners in fdi files. They match on vendor/product ids. In the fdi files is also support for SCSI scanners. It is expected to work, but I don't really know if it works reliably. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Scsi-generic devices of type "scanner" and "processor" intentionally do not get the group "disk" assigned, because they are not related to "storage". > Anyway, no normal user should ever be in the "disk" group, it would allow the > untrusted user to do things like format any disk on the system. well, the above listed udev-rule stems from 10.3 "as is", so this was a
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c5
--- Comment #5 from Dieter Jurzitza
From an user's standpoint (and from a maintainer's standpoint) it is bad if a regular user is simply kicked out of the usage of the scanner, what is, IMHO, a very "normal" usecase, what I hope you can agree with.
If I get your comment to Marcus Meissner correct, there should be support for SCSI-scanners in "the fdi-files". Can you be more specific which files are concerned so I could play around and try to figure out what is going wrong? @Marcus Meissner In a certain way this strongly reminds me of #408252, though you said it is not related: the problem there is buried somewhere in hal, too, isn't it? Apparently there has been a very basic change with permission policy for device access recently what is popping up at every other corner now. Thank you for looking into this, take care Dieter Jurzitza -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c6
Kay Sievers
well, the above listed udev-rule stems from 10.3 "as is", so this was a probably meaningful decision by openSUSE some time ago.
There are no openSUSE specific rules, they are part of the common udev rules, and most distros ship the same thing. The current rule logic should prevent the SCSI scanner to be in the "disk" group. It seems not to work for your scanner, it's probably not SCSI type "3" or "6". As said, the "disk" group should not be used for anything else than a "backup daemon" and similar, never for "normal" users.
From an user's standpoint (and from a maintainer's standpoint) it is bad if a regular user is simply kicked out of the usage of the scanner, what is, IMHO, > a very "normal" usecase, what I hope you can agree with.
It's not related to udev rules. Normal users should get an ACL at the device node, which is not managed by udev, or udev rules.
If I get your comment to Marcus Meissner correct, there should be support for SCSI-scanners in "the fdi-files". Can you be more specific which files are concerned so I could play around and try to figure out what is going wrong?
It's in: /usr/share/hal/fdi/information/20thirdparty/70-scanner.fdi -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c7
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c8
--- Comment #8 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c9
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c10
--- Comment #10 from Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c11
--- Comment #11 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c12
--- Comment #12 from Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c13
--- Comment #13 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c14
--- Comment #14 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c15
--- Comment #15 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c16
--- Comment #16 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c17
--- Comment #17 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c18
--- Comment #18 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c19
--- Comment #19 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c20
--- Comment #20 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c21
--- Comment #21 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c22
--- Comment #22 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c23
--- Comment #23 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c24
--- Comment #24 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c25
--- Comment #25 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c26
--- Comment #26 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c27
Danny Kukawka
I fully agree and I always appreciate it when generic stuff is readymade provided by HAL itself.
Please inform me, when it is actually provided by HAL itself so that I can then remove it from my 70-scanner.fdi file.
I've submitted a new hal package to STABLE and SLE11 (and a YOU update for openSUSE 11.1 follows) which has now the generic ACL rule and a file providing the stuff from 70-scanner.fdi . You should be able to remove 70-scanner.fdi now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c28
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c29
Danny Kukawka
I.e. you mean that the new hal package provides now both - a generic ACL rule for SCSI devices with SCSI type "scanner" and
Only this: <match key="info.category" string="scsi_generic"> <match key="@info.parent:scsi.type" string="scanner"> <append key="info.capabilities" type="strlist">scanner</append> </match> </match> and a ACL rule for those devices to give access to scsi_generic.device
- tons of rules for all the USB scanners in 70-scanner.fdi
No, there was no change, this should still be part of (lib)sane. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User swamp@suse.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c30
Swamp Script User
https://bugzilla.novell.com/show_bug.cgi?id=462639
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c31
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c32
--- Comment #32 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c33
--- Comment #33 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c35
Axel Braun
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c36
--- Comment #36 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c37
Axel Braun
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c38
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c39
Axel Braun
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c40
--- Comment #40 from Axel Braun
what is the content of your /etc/hal/fdi/information/20thirdparty/80-scanner.fdi file?
Actually, there is a file /etc/hal/fdi/information/20thirdparty/70-scanner.fdi, to which I added the proposal from comment #7. That helped :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c41
--- Comment #41 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c42
--- Comment #42 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c43
--- Comment #43 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c44
--- Comment #44 from Danny Kukawka
Strange!
According to comment #35 the udi /org/freedesktop/Hal/devices/pci_1000_1_scsi_host_scsi_device_lun0 does not have a capability "scanner" but then according to comment #37 hal-find-by-capability reports a similar udi /org/freedesktop/Hal/devices/pci_1000_1_scsi_host_scsi_device_lun0_scsi_generic as a "scanner" which then of course lets YaST think that HAL knows that this device is a "scanner" so that there is no need to write 80-scanner.fdi for it.
For me this looks now like an issue in HAL.
I don't think this is caused by hal. There is only one way to mark a scsi device as scanner: via this rule (which don't apply to this device AFAICS): <deviceinfo version="0.2"> <device> <match key="info.category" string="scsi_generic"> <match key="@info.parent:scsi.type" string="scanner"> <append key="info.capabilities" type="strlist">scanner</append> </match> </match> </device> </deviceinfo> Maybe you should request a tar archive from /usr/share/hal/fdi and /etc/hal/fdi and check all fdi files to see whats going wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c45
Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c46
Axel Braun
@Axel: Please be sure that you have the latest HAL update installed.
Should be: axel@northpole:~> rpm -qa | grep hal hal-0.5.12-10.12.1 hal-palm-0.12.3-2.56
Attach a (or two) tar archives from the whole content of /usr/share/hal/fdi and /etc/hal/fdi. Please attach also lshal from this case.
lshal is already in the list of attachments: https://bugzilla.novell.com/attachment.cgi?id=267315 The rest will be added immediately -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User axel.braun@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c47
--- Comment #47 from Axel Braun
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c48
Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c49
Johannes Meixner
From my current point of view the bug was never in HAL or in yast2-scanner or in any software and all we did was in the end a waste of time because the root cause is somewhere outside of the software which lets at least some users get outdated packages installed.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c50
--- Comment #50 from Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c51
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c52
--- Comment #52 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c53
--- Comment #53 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c54
--- Comment #54 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c55
--- Comment #55 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c57
--- Comment #57 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c58
--- Comment #58 from Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c59
Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User dieter.jurzitza@t-online.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c60
Dieter Jurzitza
https://bugzilla.novell.com/show_bug.cgi?id=462639
Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=462639
User jsmeix@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=462639#c61
Johannes Meixner
participants (1)
-
bugzilla_noreply@novell.com