User avatar
Fidelius
Posts: 459
Joined: Wed Jan 01, 2014 8:40 pm
Location: Germany

Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 7:39 am

Good day,

On my Pi3 I upgraded from Raspbian Stretch to Raspbian Buster via a fresh install, like the forum's experts recommended. And basically most things work fine.

With Raspbian Stretch my LAN users who logged-in to my Pi via ssh could use the Canon scanner connected to it. I just had to add these LAN users to the Pi's user-group "scanner" once. Then they could "ssh -X" into my Pi and run "sane-find-scanner" to see the scanner being connected, and "simple-scan" to actually scan a page via the mouse. Like a local Pi user could.

But now with Raspbian Buster the scanner is only there for a local user when he runs "sane-find-scanner" or "simple-scan". Users connected via ssh don't see the scanner with these two programs anymore.

(P.S. When the ssh user has local admin rights on the Pi and does "sudo sane-find-scanner" or "sudo scanimage --list-devices" it works, but it's not what we want to have, i.e. admin rights for my ssh users.)

It looks like only a little bit is missing, because local users can scan fine.
Who could help please? Thanks.

User avatar
topguy
Posts: 5894
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 8:48 am

Do you know which device the scanner identifies as ? Or if its visible in the /dev/ filesystem at all ?

I believe this thread might help you, but as I have not any copy of Buster or a scanner there are limits to what I can check.
https://unix.stackexchange.com/question ... -in-libusb

User avatar
Fidelius
Posts: 459
Joined: Wed Jan 01, 2014 8:40 pm
Location: Germany

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 9:39 am

Thanks for your reply.

Please note that local users even without admin-rights can on my Pi use "sane-find-scanner" and the GUI application "simple-scan", i.e. everything needed.

So there's no general problem with access rights but "only" with external ssh users not being allowed to use the local scanner. Like some missing user-group or "allow from network" problem.

Your stackexchange link seems to address local users' problems (by granting them full access rights to USB devices).

Here's what a local user without admin-rights sees on my Pi:

Code: Select all

$ sane-find-scanner
found USB scanner (vendor=0x04a9 [Canon], product=0x190f [CanoScan], chip=GL848+) at libusb:001:004
That's why he can start "simple-scan" which opens a GUI with pre-selected scanner and then he can scan. Just ssh users don't see this scanner and so can't use simple-scan.

Similar to "sane-find-scanner", in order to list the attached scanner, a sudo user could also do:

Code: Select all

$ sudo scanimage --list-devices
device `genesys:libusb:001:004' is a Canon LiDE 220 flatbed scanner

User avatar
topguy
Posts: 5894
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 12:06 pm

Are the "local" users and the "ssh" users the same users or two completely separated set of users.??

And with "local" users you mean users that log into the desktop on a monitor physically connected to the Pi ?

You have shown what the local users see, what results does ssh users get ? No specific errors, just doesnt find any scanner to use ?

One idea would be to open a terminal for "local" users and log in as a "ssh" user and compare output from some commands.
for example:

Code: Select all

groups
env

User avatar
Fidelius
Posts: 459
Joined: Wed Jan 01, 2014 8:40 pm
Location: Germany

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 1:26 pm

topguy wrote:
Tue Jun 25, 2019 12:06 pm
Are the "local" users and the "ssh" users the same users or two completely separated set of users.??
Same user name with same user id on the Pi and on the Linux machines from which I ssh-connect to the Pi.
And with "local" users you mean users that log into the desktop on a monitor physically connected to the Pi ?
Yes.
You have shown what the local users see, what results does ssh users get ? No specific errors, just doesn't find any scanner to use ?
Local user:

Code: Select all

$ sane-find-scanner
could not open USB device 0x046d/0xc050 at 001:006: Access denied (insufficient permissions)
could not open USB device 0x046a/0xb090 at 001:005: Access denied (insufficient permissions)
found USB scanner (vendor=0x04a9 [Canon], product=0x190f [CanoScan], chip=GL848+) at libusb:001:004
could not open USB device 0x0424/0xec00 at 001:003: Access denied (insufficient permissions)
could not open USB device 0x0424/0x9514 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
# Your USB scanner was (probably) detected. It may or may not be supported by
# SANE. Try scanimage -L and read the backend's manpage.
When simple-scan is run it shows this scanner and lets me scan.

ssh-user with same user id:

Code: Select all

$ sane-find-scanner
could not open USB device 0x046d/0xc050 at 001:006: Access denied (insufficient permissions)
could not open USB device 0x046a/0xb090 at 001:005: Access denied (insufficient permissions)
could not open USB device 0x04a9/0x190f at 001:004: Access denied (insufficient permissions)
could not open USB device 0x0424/0xec00 at 001:003: Access denied (insufficient permissions)
could not open USB device 0x0424/0x9514 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
# No USB scanners found. If you expected something different, make sure that
# you have loaded a kernel driver for your USB host controller and have setup
# the USB system correctly. See man sane-usb for details.
When simple-scan is run it shows "no scanner".

One idea would be to open a terminal for "local" users and log in as a "ssh" user and compare output from some commands.
groups give the same groups for the logged-in user and for the ssh-user:

Code: Select all

username video
Also env shows nothing suspicious.

So which scan-from-LAN bits did Raspbian Stretch have which Raspbian Buster doesn't have?

User avatar
topguy
Posts: 5894
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 2:10 pm

I'm curious to what result

Code: Select all

ls -lR /dev/bus/usb/
gives..

Also the contents of : "/etc/scanbd/scanbd.conf" if you have it.

But here is what I think is going on....
There is a subsystem of X-Windows called "dbus" which send messages between a lot of different services etc.
One part of dbus is the HAL ( hardware abstraction layer ) ( https://people.freedesktop.org/~dkukawk ... tion-about ) and its main purpose is to give, users logged in to the desktop, access to hardware resources when you need it. It does a lot of things related to access right when you plug in external disks, cameras whatever.
Its a complex system and I have not the necessary overview to know exactly where the problem is located but it explains to me why the user logged in to desktop gets elevated access to the scanner but the ssh user does not.

And I still think the udev rule might work well.
You can probably test it by doing

Code: Select all

sudo chmod o+w /dev/bus/usb/001/004
with a "sudo" user and then try the command again with the ssh user.

Aydan
Posts: 699
Joined: Fri Apr 13, 2012 11:48 am
Location: Germany, near Lake Constance

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 2:24 pm

Please have a look at this: https://wiki.debian.org/SaneOverNetwork

I think this is the correct way to share a scanner via network.

Regards
Aydan

User avatar
jojopi
Posts: 3085
Joined: Tue Oct 11, 2011 8:38 pm

Re: Users via ssh can't scan with Raspbian Buster anymore

Tue Jun 25, 2019 9:43 pm

/lib/udev/rules.d/* have changed between stretch and buster.

In stretch, 60-libsane.rules identified any device supported by SANE, gave it ENV{libsane_matched}="yes", and then because of that applied a fACL granting rw access to group "scanner".

In buster, 60-libsane.rules still identifies supported scanners and gives them the same property, but does not change their permissions. Now instead, 70-uaccess.rules gives them TAG+="uaccess", which I believe means that access is granted only to local GUI users (as topguy suggested).

In a hotdesking environment, certainly it makes sense that only the local user is allowed to scan the local document. I suspect the logic is also intended to work in multiseat environments, so you can have a computer with multiple displays and keyboards and scanners, and the logged-in users can only scan their own documents.

However, I really sympathise with Fidelius here. The sysadmin should also be able to give scanner access to specific users, and should not be left with no easier option than to give them full root access.

I have previously said that if one resorts to writing custom udev rules, one is doing something very wrong. Nevertheless, my proposed local fix is to take one line from stretch and put it in /etc/udev/rules.d/70-libsane-group.rules:

Code: Select all

ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
I have not been able to test this very thoroughly, but I think the ACLs combine so that any local user and any member of the group can scan.

edit: "sudo udevadm trigger" is the command to use after you add the rule, if you want to avoid rebooting.

User avatar
Fidelius
Posts: 459
Joined: Wed Jan 01, 2014 8:40 pm
Location: Germany

Re: Users via ssh can't scan with Raspbian Buster anymore

Wed Jun 26, 2019 6:51 am

jojopi wrote:
Tue Jun 25, 2019 9:43 pm
/lib/udev/rules.d/* have changed between stretch and buster.
[..]
Nevertheless, my proposed local fix is to take one line from stretch and put it in /etc/udev/rules.d/70-libsane-group.rules:

Code: Select all

ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
Well, that's it! This line, plus putting the ssh-connecting user into the Pi's user-group "scanner", works.

Thanks Jojopi, also for the explanation of the difference between Debian9's and Debian10's handling of ssh-logged-in scanner users.

Also thanks to Topguy und danke an Aydan for both your help.

Btw, Topguy, file "/etc/scanbd/scanbd.conf" isn't there, and when a ssh-logged-in user does:

Code: Select all

$ ls -lR /dev/bus/usb/
/dev/bus/usb/:
insgesamt 0
drwxr-xr-x 2 root root 160 Feb 14 11:11 001

/dev/bus/usb/001:
insgesamt 0
crw-rw-r--  1 root root 189, 0 Jun 25 22:38 001
crw-rw-r--  1 root root 189, 1 Jun 25 22:38 002
crw-rw-r--  1 root root 189, 2 Jun 25 22:38 003
crw-rw-r--+ 1 root root 189, 3 Jun 25 22:38 004
crw-rw-r--  1 root root 189, 4 Jun 25 22:38 005
crw-rw-r--  1 root root 189, 5 Jun 25 22:38 006
Last edited by Fidelius on Wed Jun 26, 2019 7:17 am, edited 1 time in total.

lramalho
Posts: 8
Joined: Mon Jul 01, 2019 10:49 am

Re: Users via ssh can't scan with Raspbian Buster anymore

Mon Jul 01, 2019 11:29 am

On raspbian strech, I could scan through my intranet, on windows using "scanimage" or "SANEWin". For that I set all configurations on the PI, I've set the listen socket service and so on, and all run well.

I was very angry when after install raspbian buster and follow all scanner configuration procedures, I couldn't remotely scan on my network as I did before.

I found this thread. I add the file /etc/udev/rules.d/70-libsane-group.rules, with the content:

ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw $env{DEVNAME}"

and reboot my PI.

I can confirm that now it work as it did before. I'm not happy at all about this, I don't understand why things change this way causing major problems to IT personal, but for now I can deal with it.

However, on 24 hours latter in a non correlated matter I came to issue a command to the pi.

Code: Select all

$ sudo systemctl status systemd-udevd

systemd-udevd.service - udev Kernel Device Manager
   Loaded: loaded (/lib/systemd/system/systemd-udevd.service; static; vendor preset: enabled)
   Active: active (running) since Sun 2019-06-30 12:57:52 WEST; 23h ago
     Docs: man:systemd-udevd.service(8)
           man:udev(7)
 Main PID: 141 (systemd-udevd)
   Status: "Processing with 10 children at max"
    Tasks: 1
   Memory: 15.3M
   CGroup: /system.slice/systemd-udevd.service
           └─141 /lib/systemd/systemd-udevd

Jun 30 12:57:53 raspberrypi mtp-probe[172]: bus: 1, device: 6 was not an MTP device
Jun 30 12:57:53 raspberrypi systemd-udevd[148]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Jun 30 12:57:53 raspberrypi mtp-probe[170]: bus: 1, device: 3 was not an MTP device
Jun 30 12:57:53 raspberrypi systemd-udevd[147]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Jun 30 12:57:53 raspberrypi systemd-udevd[142]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Jun 30 12:57:53 raspberrypi systemd-udevd[150]: Using default interface naming scheme 'v240'.
Jun 30 12:57:53 raspberrypi systemd-udevd[144]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Jun 30 12:57:54 raspberrypi systemd-udevd[145]: Using default interface naming scheme 'v240'.
Jun 30 12:59:03 raspberrypi systemd-udevd[572]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Jun 30 12:59:05 raspberrypi systemd-udevd[572]: Process '/bin/setfacl -m g:scanner:rw ' failed with exit code 2.
Then I change /bin//setfacl -m g:scanner:rw by /usr/bin//setfacl -m g:scanner:rw on the file /etc/udev/rules.d/70-libsane-group.rules because it is where the command setfacl is located.

After reboot, I still get the error with exit code 2 except that now it shows the path:

Code: Select all

Jun 30 13:05:27 raspberrypi systemd-udevd[572]: Process '/usr/bin/setfacl -m g:scanner:rw ' failed with exit code 2.

So, it still work and I can remotely scan but I don't know how, given the fact there is an obvious error running on boot.

Questions:
1) Why developers didn't agree on something and stick with it through versions of the OS?
2) Why exactly, remote scan stop working on buster?
3) Why network remote scanning work after all, when the file /etc/udev/rules.d/70-libsane-group.rules exist, if when executing it renders in error?

4) Which are the procedures to configure sane remote scanning in the new raspbian buster, a procedure that preferably does not require adding udev rules?

5) Since many people use their PIs as server, why there is not pinned threads with updated configuration steps for printing and remote printing. scanning and remote scanning, and streaming.. and so on, and on... on this forum (unless I didn't see it)?

Thank you & sorry for my lousy English.

Return to “General discussion”