Need to enable scanner access for user/group www-data

Asked by jhansonxi on 2010-09-28

When using scanimage as regular user it "just works" and finds SCSI and USB scanners without any manual configuration. When run as user/group www-data via cgi/shell script it doesn't find anything. Since the "scanner" group doesn't exist anymore, how do I enable scanner device access for www-data?

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2010-09-29
Last reply:
2015-03-03
François Tissandier (baloo) said : #1

Did you check what groups your user is belonging to? You can then try to add the www-data user to those groups one by one. I'm not sure if it will work, but that's my first idea.

jhansonxi (jhansonxi) said : #2

Tried that. Added www-data to every group that regular users belonged to but it had no effect.

I'm suspicious that udev/sane enables access to all user accounts but not system accounts (UID/GID <1000).

I can't find any information about it. There's nothing in the wiki:
https://wiki.ubuntu.com/Security/Privileges

François Tissandier (baloo) said : #3

Ok, that was too easy.
There seems to be interesting info on this page, did you check it out ?

http://scannerserver.online02.com/node/4

jhansonxi (jhansonxi) said : #4

Yes. Once again in case I missed something. The suggestions there (and linked to) fall into three categories:

1. Add www-data to scanner group: No longer possible since the group no longer exists (as of Jaunty IIRC).

2. Change default USB device permissions to give full access to others: Works but is stupid as it allows all users full access to all USB devices - scanners and everything else. I actually wrote a GUI app for doing this with SCSI scanners but they are not hot-pluggable and device assignments generally don't change during a user session, unlike USB devices which get disconnected and reconnected often.

3. Custom UDEV rules: I know it can be done but whatever is currently implemented for regular users already works. I would rather adjust that rule or the related account security instead of writing a new rule from scratch (and have to repeat for every scanner model).

jhansonxi (jhansonxi) said : #5

Regarding #3: The current implementation also doesn't require all users to have access (rwxr-w---).

François Tissandier (baloo) said : #6

You understand the problem better than me unfortunately ;) So I guess I can't be of any help now. I hope someone with a better technical knowledge can help.

Please add the scanner group from terminal try:

sudo groupadd scanner

and then add the user to the scanner group

sudo adduser www-data scanner

jhansonxi (jhansonxi) said : #8

Tried that but it had no effect. It seems that the UDEV rules (or whatever library/program support) that used that group are no longer present.

Launchpad Janitor (janitor) said : #9

This question was expired because it remained in the 'Open' state without activity for the last 15 days.