[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_console help needed: HPLIP permissions



On Thu, 2007-08-30 at 16:39 +0100, Tim Waugh wrote:
> Hi,
> 
> I think I need some help understanding how to make HPLIP devices get the
> right permissions now that pam_console will be going away.
> 
> The device nodes are (e.g.) /dev/bus/usb/001/001, and they are used for
> two things:

I'm answering these questions in reverse order

> 2. Scanning.  Console users need read/write access to the device node so
> that the 'hpaio' SANE backend provided by HPLIP can use them.

Just generate a fdi file like sane-backends does with the patch that I
got upstream

http://lists.alioth.debian.org/pipermail/sane-devel/2007-March/018763.html

the fdi file will need to reference all the USB id's that the HPLIP SANE
user space drivers can drive. It'll will look like this

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<deviceinfo version=\"0.2\">
  <device>
    <match key="info.bus" string="usb">
      <match key="usb.vendor_id" int="<vendor_id>">
        <match key="usb.product_id" int="<product_id>">
          <append key="info.capabilities" type="strlist">scanner</append>
          <merge key="scanner.access_method" type="string">proprietary</merge>
        </match>
      </match>
      <!-- other models follow here -->
    </match>
  </device>
</deviceinfo>

Btw, I'm not sure our sane-backends package use my patch I referenced
above; it probably should in favor of the udev rules / pam_console.

> 1. Printing.  The 'hp' CUPS backend provided by HPLIP needs read/write
> access.  It runs as user 'lp', group 'lp'.

For this I'd advise to just use the udev rule you already got; it's not
interesting in terms of ACL's as they will never vary (since CUPS does
it's own access control) and we just need them since the hp CUPS backend
is architected in a way so it needs special permissions [1].

Just send me private mail if you have any questions. Thanks.

      David

[1] : which I suppose is unnecessary as cups already run as root and
they could then just drop permissions in the backend process itself
after having opened the device node


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]