[sane-devel] sane - access problem with debian squeeze

Julien BLACHE jb at jblache.org
Fri Apr 8 16:32:29 UTC 2011


Johannes Meixner <jsmeix at suse.de> wrote:

Hi,

> All GROUP="scanner" are replaced by GROUP="lp".

You do *not* want to do that on a multiuser system. If the reason is not
obvious to the reader, I suggest the reader step away from any root
account she may hold.

[6 paragraphs]

> A drawback when using the group "lp" by default for scanners is
> that there is a possible security issue when all normal users
> would be by default added to the group "lp" because users
> in the "lp" group can read the print spool data files
> /var/spool/cups/d* so that those users can read possibly
> confidential print job data.

It was about time you mentioned that. I'm not sure how many people
reading your original mail will make it up to that paragraph and realize
they were about to make a serious mistake.

> In openSUSE we use by default udev and its ACLs so that a user
> who logs in directly at the machine gets sufficient permissions
> to access scanners.

It's not udev but ConsoleKit handling this.

I've switched to using ACLs with udev (real ACLs, no relation to
ConsoleKit, but ConsoleKit works too) in Debian. It looks like there's
an issue at boot and the ACL isn't set properly, but I still need to dig
into this.

MFPs have always been a royal pain in the rear and ACLs weren't
available to help fix that until recently. Hopefully it'll work out...

JB.

-- 
Julien BLACHE                                   <http://www.jblache.org> 
<jb at jblache.org>                                  GPG KeyID 0xF5D65169



More information about the sane-devel mailing list