[sane-devel] phpSANE question

2011-04-08 Thread Cristi Lacatus 
Thanks, Allan ... that was the reason, I should've see it earlier, but I
kept thinking that is something related to the environment where the command
is executed by the web interface and there are some lib or something else
missing.

Cheers,
Cristian.

2011/4/7 m. allan noah 

> I've never worked with phpSANE, but I can take a guess. PHP scripts
> run as the apache user, and the apache user does not have permissions
> to talk to the device files. Run scanimage -L as the user apache runs
> as, and see if that's true. If so, look to make some udev or hal rule
> changes.
>
> allan
>
> On Thu, Apr 7, 2011 at 11:01 AM, Cristi Lacatus 
> wrote:
> > Hello,
> >
> > I know this is the dist list for the SANE project, but maybe there is
> > someone out there that uses phpSANE and can help me out. I am trying to
> use
> > this on my QNAP NAS, linux flavour with apache 2 and php 5 support, but I
> > keep getting this error message and the resolution field is highlighted
> in
> > red.
> > From what I can tell the problem is when the command is being executed,
> for
> > example when the command "scanimage --help" it's executed in the CLI,
> > usually it outputs the help text but it also gives detailed information
> > about the scanners that are connected to the system at that time. When it
> > gets executed by the web interface, it only outputs the help text,
> nothing
> > else.
> > I also tried with a different command, "scanimage -L" when executed in
> the
> > CLI it outputs "device `pixma:04A91746_01760E' is a CANON Canon PIXMA
> MP280
> > multi-function peripheral", when executed through phpSANE, it only
> outputs
> > "device `pixma:04A91746' is a CANON Canon PIXMA MP280 multi-function
> > peripheral". I'm exporting the necessary paths, but that doesn't help
> > either.
> >
> > Any help will be greatly appreciated?
> >
> > Thanks,
> > Cristian.
> >
> >
> > --
> > sane-devel mailing list: sane-devel at lists.alioth.debian.org
> > http://lists.alioth.debian.org/mailman/listinfo/sane-devel
> > Unsubscribe: Send mail with subject "unsubscribe your_password"
> > to sane-devel-request at lists.alioth.debian.org
> >
>
>
>
> --
> "The truth is an offense, but not a sin"
>
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20110408/722751e4/attachment-0001.htm>

[sane-devel] sane - access problem with debian squeeze

2011-04-08 Thread Johannes Meixner 

Hello,

On Apr 7 21:08 postbote2009-debian at yahoo.com wrote (excerpt):
> Julien BLACHE wrote (excerpt):
>> postbote2009-debian at yahoo.com wrote (excerpt):
>>>
>>> device `pixma:04A91725' is a CANON Canon PIXMA  MP610 multi-function
>>> peripheral
>>
>> Seeing how your device is an MFP, it's  probably root:lp instead of
>> root:scanner due to a change in udev itself  between Lenny and Squeeze.
>>
>> In Lenny the scanner group would prevail, in  Squeeze it's the lp group
>> that prevails. In Lenny the issue was with printing  to MFPs, in Squeeze
>> it's with scanning.
>>
>> Two ways to work around  this:
>>  - add your user to the lp group
>>  - use ConsoleKit and any user  physically logged into the machine
>>(running the X session) will have  access to the scanner
>
> Thank you very much - after adding  the user to lp everything worked fine.
>
> I?m just curious - if you?ve got the time and it isn?t too difficult to 
> explain
> - why has the user to be in the group "lp" if in 60-libsane.rules "scanner" is
> mentioned?

For openSUSE we do not have a group "scanner" and
I change the udev rules in libsane.rules as follows:

All GROUP="scanner" are replaced by GROUP="lp".

There is no group "scanner" in /etc/group for openSUSE.
For all-in-one devices (i.e. printer + scanner, e.g. "EPSON Stylus" devices)
the group must be "lp" so that the CUPS usb backend which runs
as user "lp" (who is member of the group "lp") can send printing data
to the printer unit (i.e. the printer interface of the USB device).
It is sufficiently secure and reasonable easy to use by default
the same group "lp" for printers and scanners because both kind of devices
usually require physical user access (to get the printed paper or
to place a paper on the scanner) so that both kind of devices
should usually require the same kind of security.

Because one same device file cannot be in two traditional groups
(i.e. when no advanced stuff like ACLs is used) and because
multi function devices are more and more common nowadays,
the "printing via lp group" versus "scanning via scanner group"
conflict will happen more and more often.

The solution could be one single traditional group by default.

Therefore I suggest to think about if SANE may move away from its
special group "scanner" and use the traditional group "lp" instead.

This would of course not mean that a special group "scanner"
is forbidden or that advanced stuff like ACLs can be used.

All I like to suggest is a default which avoids a common conflict
so that printing and scanning with multi function devices
could work out of the box even in a traditional environment.

A drawback when using the group "lp" by default for scanners is
that there is a possible security issue when all normal users
would be by default added to the group "lp" because users
in the "lp" group can read the print spool data files
/var/spool/cups/d* so that those users can read possibly
confidential print job data.

Therefore in openSUSE we do not add normal users by default
to the "lp" group so that by default normal users cannot access
scanners in a traditional environment.

In openSUSE we use by default udev and its ACLs so that a user
who logs in directly at the machine gets sufficient permissions
to access scanners.

But using the "lp" group also for scanners in openSUSE avoids
the conflict which traditional group a multi function device
should get assigned.

And the admin in a traditional environment can add trusted users
to the "lp" group if needed in his particular case - considering
what is secure in his particular (network) environment.


Kind Regards
Johannes Meixner
-- 
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex

[sane-devel] Fwd: phpSANE question

2011-04-08 Thread Cristi Lacatus 
Well on this box, QNAP TS219, ARM processor, which runs with a stripped
version of linux, the apache daemon runs as the httpdusr and is pretty much
limited on the rights that it has within the system. As I noticed there is
another discussion now on pretty much the same topic, users that have no
rights to access the peripherals, unless given specific rights to do so, but
on this box is pretty much impossible, from my point of view.

So in order to overcome this obstacle, I added a telnet class, if I can call
it this way so I am running the commands through telnet class with admin
rights ... at the moment my scanner is not fully supported (I am already in
contact with one of the devs who's going to look into this as soon as
possible) so I cannot fully test this at the moment. But the errors are
gone, so lets hope for the best.

Cheers,
Cristian.

-- Forwarded message --
From: m. allan noah 
Date: 2011/4/8
Subject: Re: [sane-devel] phpSANE question
To: Cristi Lacatus 


how about telling the list, so folks can find the answer in the archives
later?

allan

On Thu, Apr 7, 2011 at 11:48 PM, Cristi Lacatus 
wrote:
> Thanks, Allan ... that was the reason, I should've see it earlier, but I
> kept thinking that is something related to the environment where the
command
> is executed by the web interface and there are some lib or something else
> missing.
>
> Cheers,
> Cristian.
>
> 2011/4/7 m. allan noah 
>>
>> I've never worked with phpSANE, but I can take a guess. PHP scripts
>> run as the apache user, and the apache user does not have permissions
>> to talk to the device files. Run scanimage -L as the user apache runs
>> as, and see if that's true. If so, look to make some udev or hal rule
>> changes.
>>
>> allan
>>
>> On Thu, Apr 7, 2011 at 11:01 AM, Cristi Lacatus 
>> wrote:
>> > Hello,
>> >
>> > I know this is the dist list for the SANE project, but maybe there is
>> > someone out there that uses phpSANE and can help me out. I am trying to
>> > use
>> > this on my QNAP NAS, linux flavour with apache 2 and php 5 support, but
>> > I
>> > keep getting this error message and the resolution field is highlighted
>> > in
>> > red.
>> > From what I can tell the problem is when the command is being executed,
>> > for
>> > example when the command "scanimage --help" it's executed in the CLI,
>> > usually it outputs the help text but it also gives detailed information
>> > about the scanners that are connected to the system at that time. When
>> > it
>> > gets executed by the web interface, it only outputs the help text,
>> > nothing
>> > else.
>> > I also tried with a different command, "scanimage -L" when executed in
>> > the
>> > CLI it outputs "device `pixma:04A91746_01760E' is a CANON Canon PIXMA
>> > MP280
>> > multi-function peripheral", when executed through phpSANE, it only
>> > outputs
>> > "device `pixma:04A91746' is a CANON Canon PIXMA MP280 multi-function
>> > peripheral". I'm exporting the necessary paths, but that doesn't help
>> > either.
>> >
>> > Any help will be greatly appreciated?
>> >
>> > Thanks,
>> > Cristian.
>> >
>> >
>> > --
>> > sane-devel mailing list: sane-devel at lists.alioth.debian.org
>> > http://lists.alioth.debian.org/mailman/listinfo/sane-devel
>> > Unsubscribe: Send mail with subject "unsubscribe your_password"
>> > to sane-devel-request at lists.alioth.debian.org
>> >
>>
>>
>>
>> --
>> "The truth is an offense, but not a sin"
>
>



--
 "The truth is an offense, but not a sin"
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20110408/081564d9/attachment.htm>
-- next part --
A non-text attachment was scrubbed...
Name: telnet.class.php
Type: application/x-httpd-php
Size: 8807 bytes
Desc: not available
URL: 
<http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20110408/081564d9/attachment.php>

[sane-devel] sane - access problem with debian squeeze

2011-04-08 Thread Julien BLACHE 
postbote2009-debian at yahoo.com wrote:

Hi,

> I?m just curious - if you?ve got the time and it isn?t too difficult to 
> explain 
> - why has the user to be in the group "lp" if in 60-libsane.rules "scanner" 
> is 
> mentioned?

It's due to changes in udev and in the default rules shipped with udev.

But the real problem is that MFP should expose several USB devices and
not just a single one.

JB.

-- 
Julien BLACHE    
  GPG KeyID 0xF5D65169

[sane-devel] sane - access problem with debian squeeze

2011-04-08 Thread Julien BLACHE 
Johannes Meixner  wrote:

Hi,

> All GROUP="scanner" are replaced by GROUP="lp".

You do *not* want to do that on a multiuser system. If the reason is not
obvious to the reader, I suggest the reader step away from any root
account she may hold.

[6 paragraphs]

> A drawback when using the group "lp" by default for scanners is
> that there is a possible security issue when all normal users
> would be by default added to the group "lp" because users
> in the "lp" group can read the print spool data files
> /var/spool/cups/d* so that those users can read possibly
> confidential print job data.

It was about time you mentioned that. I'm not sure how many people
reading your original mail will make it up to that paragraph and realize
they were about to make a serious mistake.

> In openSUSE we use by default udev and its ACLs so that a user
> who logs in directly at the machine gets sufficient permissions
> to access scanners.

It's not udev but ConsoleKit handling this.

I've switched to using ACLs with udev (real ACLs, no relation to
ConsoleKit, but ConsoleKit works too) in Debian. It looks like there's
an issue at boot and the ACL isn't set properly, but I still need to dig
into this.

MFPs have always been a royal pain in the rear and ACLs weren't
available to help fix that until recently. Hopefully it'll work out...

JB.

-- 
Julien BLACHE    
  GPG KeyID 0xF5D65169

[sane-devel] Is the CanoScan 9000F alreday in git?

2011-04-08 Thread Al Bogner 
http://forums.debian.net/viewtopic.php?f=7&t=54246&start=15
Also, SANE 1.0.22 is ready to be released, so the git repository for
1.0.23 should soon be ready. Then we can start the process of sending
diffs for the new sub-driver incorporating the support for the 9000F,
8800F, MP960 and MP810

The Opensuse-Repo for SANE 1.0.22 is available here
http://download.opensuse.org/repositories/graphics/openSUSE_11.3/
but I didn't find one for 1.0.23.

So my question is, if the CanoScan 9000F is available already in 1.0.22
or do I have to wait for 1.0.23? Any idea, when it will be released?

Is there an Ubuntu repo with the newest SANE drivers?

Al