How to obtain permission to use scanner

[bicyclesonthemoon]

I replaced computer, and installed Debian 10 amd64 with LXDE.
Previous had Debian 9 i386

I wanted to use my scanner, CanoScan LiDE 300, with xsane.
It is on the list of supported devices.
But not on the version of libsane available on package manager.
So I downloaded the original sources and compiled it.

Now I can use the scanner.
But only as root.

From what I remembered user has to be part of scanner group.
But already is.

https://wiki.debian.org/Scanner#Permissions
says that it is not that simple any more and that I permission for usb device usage.
And points to
https://bugs.debian.org/cgi-bin/bugrepo ... =918358#12
which tells that this is solved by adding
ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
to /etc/udev/rules.d/65-libsane.rules.
Actually, I found out that the actual location of the file is /lib/udev/rules.d/60-libsane.rules.
Anyway, adding such line does not help.

I don't know how to continue.

Edited to add: I found out that /bin/setfacl is wrong. /usr/bin/setfacl must be used instead because that's where it is.
But changing this doesn't help.

[arochester]

Have you downloaded the driver/firmware from Canon?

https://www.usa.canon.com/internet/port ... _downloads

[bicyclesonthemoon]

Have you downloaded the driver/firmware from Canon?

I have not.
But it is not the source of my problem.

I can use the scanner from the root account.
I can also use the scanner when I manually add read and write permission to the /dev/bus/usb/*/* file which represents the scanner (but this of course works only until scanner disconnected or computer restarted)

Now I replaced the command
/usr/bin/setfacl -m g:scanner:rw $env{DEVNAME}
with my own debug program which writes its command line arguments to a file, and then calls the setfacl and I see that when I reconnect the scanner nothing new is written.
This means that the /usr/bin/setfacl -m g:scanner:rw $env{DEVNAME} is never executed.
But I don't know if that's because ENV{libsane_matched}=="yes" is not fulfilled or the whole file /lib/udev/rules.d/60-libsane.rules is omitted for some reason.
I don't know how to debug it.

Edited to add:
I did more debugging and now I see that indeed the condition ENV{libsane_matched}=="yes" is not fulfilled.

Edited to add again:
I have a solution
A rule has to be added:

#LiDE 300
ATTRS{idVendor}=="04a9", ATTRS{idProduct}=="1913", ENV{libsane_matched}="yes"

and the aforementioned command has to be moved to a place which is actually executed.
And this makes it work!

However, I noticed that something has changed in this version of Debian:
The USB devices have been moved to /lib/udev/hwdb.d/20-sane.hwdb
So I could also add it there:

# Canon CanoScan LiDE 300
usb:v04A9p1913*
libsane_matched=yes

but doing just that and rebooting doesn't help. So I had to stick to the solution of adding to 60-libsane.rules as described above, even though Debian does it differently these days.

Where is the new approach documented?
Where does it come from?

[gurfle]

I have the same problem in Debian 12.5.
The scanner is a Panasonic KX-MB1520 and is all set up to work properly, but unfortunately as root only.
I understand most of what bicyclesonthemoon says, except what appears to be key to his solution

Code: Select all

I have a solution
A rule has to be added:

#LiDE 300
ATTRS{idVendor}=="04a9", ATTRS{idProduct}=="1913", ENV{libsane_matched}="yes"

and the aforementioned command has to be moved to a place which is actually executed.
And this makes it work!

1) I figure the "rule has to be added" to /usr/lib/udev/rules.d/60-libsane1.rules (changed in Debian 12 from 60-libsane.rules in Debian 10) and in my case the rule entry has to be

Code: Select all

ATTRS{idVendor}=="04da", ATTRS{idProduct}=="0f0b", MODE="0664", GROUP="scanner", ENV{libsane_matched}="yes"

2) How do you do "the aforementioned command has to be moved to a place which is actually executed" ?

This seems to be the key element I am not getting right: I am totally unclear where that happens. What script or configuration file has to be modified, and how?

Since only root has the relevant permissions, I suspect we're talking about making

Code: Select all

/usr/bin/setfacl -m g:scanner:rw $env{DEVNAME}

somehow work, but in this form I have no idea where to put it so the environment variables are properly substituted.

Any clues will be greatly appreciated!

[CwF]

I'm guessing!
Put the modified rule in /etc/udev/rules.d/

And maybe add scanner to your user's groups.

[gurfle]

Thanks for the idea, CwF.

Of course I have made sure that I am in the scanner group.

There was nothing in /etc/udev/rules.d/ so I just copied the two files
/usr/lib/udev/rules.d/99-libsane1.rules and
/usr/lib/udev/rules.d/60-libsane1.rules into
/etc/udev/rules.d/
but sadly that makes no difference.

/usr/lib/udev/rules.d/99-libsane1.rules has nothing but what seems the critical rule entry

Code: Select all

ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="/usr/bin/setfacl -m g:scanner:rw $env{DEVNAME};"

in it and
/usr/lib/udev/rules.d/60-libsane1.rules has the identifying information for the Panasonic device:

Code: Select all

ATTRS{idVendor}=="04da", ATTRS{idProduct}=="0f0b", MODE="0664", GROUP="scanner", ENV{libsane_matched}="yes"

Still at a complete loss here

This makes me curious though: What is the difference in function between the two directories
/usr/lib/udev/rules.d/ and
/etc/udev/rules.d/

The former comes packed with files relating to over 100 devices, but the latter comes empty.

[gurfle]

I just ran a successful scan from root again with this debugging command

Code: Select all

echo OK ... $env{libsane_matched} ... $env{DEVNAME} >> /home/nick/x/x 2>&1

added to both 99-libsane1.rules:

Code: Select all

ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="/usr/bin/setfacl -m g:scanner:rw $env{DEVNAME}; echo OK ... $env{libsane_matched} ... $env{DEVNAME} >> /home/nick/x/x 2>&1"

Since no output whatsoever went to the file /home/nick/x/x which I had previously created with rw permission to the world - it wasn't even touched, I am thinking that none of these configuration files are relevant, and I should be looking somewhere else !?!

[EDIT - ignore, since the issue raised here is resolved in the next follow up post:]
I am stymied in further debugging by not having a clue where the "file path" to the scanner might be. I would expect it to be somewhere under /dev, but nothing obvious pops up.

Code: Select all

root@nickspanasonic:~# ls -al /dev/usb
total 0
drwxr-xr-x  2 root root     80 Apr 20 11:06 .
drwxr-xr-x 19 root root   3800 Apr 20 11:06 ..
crw-------  1 root root 180, 0 Apr 20 11:05 hiddev0
crw-rw----  1 root lp   180, 1 Apr 20 11:06 lp1
root@nickspanasonic:~# 

hiddev0 might be (I've seen an online reference to a scanner there), but when I unplug the usb cable to it (also serving as printer connection), lp1 goes away, but not hiddev0. I also tried all sorts of permission changes on it to no avail.
While running a scan as root, the time stamp does not get updated, so that would indicate to me /dev/hiddev0 is not the path to the scanner.

Maybe I should look somewhere else under /dev
or maybe in /proc
or perhaps /sys/devices

Or could it be there is no "file path" to it at all? That would be strange, since the use of setfacl requires one to do what t needs to do.

[gurfle]

OK . . . Finally figured out that the path to a usb device is /dev/bus/usb/Bus#/Device#, where Bus# and Device# are found in the output from the command lsusb. E.g. presently for me I have the scanner on Bus 001 Device 007, as seen here (under "Panasonic (Matsushita) KX-MB1520"), and now I can immediately get simple-scan to work by a user in the "scanner" group after running "sudo setfacl":

Code: Select all

nick@nickspanasonic:~$ lsusb
Bus 002 Device 002: ID 0424:5744 Microchip Technology, Inc. (formerly SMSC) Hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 8087:0a2b Intel Corp. Bluetooth wireless interface
Bus 001 Device 003: ID 056a:5018 Wacom Co., Ltd MultiTouch Sensor  
Bus 001 Device 007: ID 04da:0f0b Panasonic (Matsushita) KX-MB1520
Bus 001 Device 004: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth
Bus 001 Device 002: ID 0424:2744 Microchip Technology, Inc. (formerly SMSC) Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
nick@nickspanasonic:~$ getfacl --tabular /dev/bus/usb/001/007
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/007
USER   root      rw-     
GROUP  lp        rw-     
other            r--     

nick@nickspanasonic:~$ sudo /usr/bin/setfacl -m g:scanner:rw /dev/bus/usb/001/007
[sudo] password for nick: 
nick@nickspanasonic:~$ getfacl --tabular /dev/bus/usb/001/007
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/007
USER   root      rw-     
GROUP  lp        rw-     
group  scanner   rw-     
mask             rw-     
other            r--     

nick@nickspanasonic:~$ 

So it's just a permission problem on the usb path (no issues with driver setup) and the problem looks like it has to do with the the rules needed to get setfacl to run in

Code: Select all

/usr/lib/udev/rules.d/60-libsane1.rules
/usr/lib/udev/rules.d/99-libsane1.rules

for some yet unknown reason not being used (apparently not an issue when running simple-scan as root).

How to troubleshoot that?

[CwF]

This makes me curious though: What is the difference in function between the two directories
/usr/lib/udev/rules.d/ and
/etc/udev/rules.d/

etc overides and/or extends usr, and is not overwritten by an update.

How to troubleshoot that?

Not sure.
Check if the program has a policy file defining program rights.
Or just ask polkit - look through the pkaction list for anything relevant.

Code: Select all

$ pkaction

[gurfle]

Thanks again CwF!
Your comment on the difference between
/usr/lib/udev/rules.d/ and
/etc/udev/rules.d/
is very useful, and so I will ignore the latter for now.

Unfortunately I cannot make much headway regarding the policy issue, an area I am totally unfamiliar with, and pkaction doesn't seem to reveal anything relevant to me, but in case someone else can see something suspicious, here is the output:

Code: Select all

nick@nickspanasonic:~$ pkaction
com.endlessm.ParentalControls.AccountInfo.ChangeAny
com.endlessm.ParentalControls.AccountInfo.ChangeOwn
com.endlessm.ParentalControls.AccountInfo.ReadAny
com.endlessm.ParentalControls.AccountInfo.ReadOwn
com.endlessm.ParentalControls.AppFilter.ChangeAny
com.endlessm.ParentalControls.AppFilter.ChangeOwn
com.endlessm.ParentalControls.AppFilter.ReadAny
com.endlessm.ParentalControls.AppFilter.ReadOwn
com.endlessm.ParentalControls.SessionLimits.ChangeAny
com.endlessm.ParentalControls.SessionLimits.ChangeOwn
com.endlessm.ParentalControls.SessionLimits.ReadAny
com.endlessm.ParentalControls.SessionLimits.ReadOwn
com.ubuntu.pkexec.synaptic
com.ubuntu.softwareproperties.applychanges
net.hadess.PowerProfiles.hold-profile
net.hadess.PowerProfiles.switch-profile
org.dpkg.pkexec.update-alternatives
org.freedesktop.DisplayManager.AccountsService.ModifyAny
org.freedesktop.DisplayManager.AccountsService.ModifyOwn
org.freedesktop.DisplayManager.AccountsService.ReadAny
org.freedesktop.MalcontentControl.administration
org.freedesktop.ModemManager1.Contacts
org.freedesktop.ModemManager1.Control
org.freedesktop.ModemManager1.Device.Control
org.freedesktop.ModemManager1.Firmware
org.freedesktop.ModemManager1.Location
org.freedesktop.ModemManager1.Messaging
org.freedesktop.ModemManager1.Time
org.freedesktop.ModemManager1.USSD
org.freedesktop.ModemManager1.Voice
org.freedesktop.NetworkManager.checkpoint-rollback
org.freedesktop.NetworkManager.enable-disable-connectivity-check
org.freedesktop.NetworkManager.enable-disable-network
org.freedesktop.NetworkManager.enable-disable-statistics
org.freedesktop.NetworkManager.enable-disable-wifi
org.freedesktop.NetworkManager.enable-disable-wimax
org.freedesktop.NetworkManager.enable-disable-wwan
org.freedesktop.NetworkManager.network-control
org.freedesktop.NetworkManager.reload
org.freedesktop.NetworkManager.settings.modify.global-dns
org.freedesktop.NetworkManager.settings.modify.hostname
org.freedesktop.NetworkManager.settings.modify.own
org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.sleep-wake
org.freedesktop.NetworkManager.wifi.scan
org.freedesktop.NetworkManager.wifi.share.open
org.freedesktop.NetworkManager.wifi.share.protected
org.freedesktop.RealtimeKit1.acquire-high-priority
org.freedesktop.RealtimeKit1.acquire-real-time
org.freedesktop.accounts.change-own-password
org.freedesktop.accounts.change-own-user-data
org.freedesktop.accounts.set-login-option
org.freedesktop.accounts.user-administration
org.freedesktop.bolt.authorize
org.freedesktop.bolt.enroll
org.freedesktop.bolt.manage
org.freedesktop.color-manager.create-device
org.freedesktop.color-manager.create-profile
org.freedesktop.color-manager.delete-device
org.freedesktop.color-manager.delete-profile
org.freedesktop.color-manager.device-inhibit
org.freedesktop.color-manager.install-system-wide
org.freedesktop.color-manager.modify-device
org.freedesktop.color-manager.modify-profile
org.freedesktop.color-manager.sensor-lock
org.freedesktop.fwupd.device-activate
org.freedesktop.fwupd.device-unlock
org.freedesktop.fwupd.downgrade-hotplug
org.freedesktop.fwupd.downgrade-hotplug-trusted
org.freedesktop.fwupd.downgrade-internal
org.freedesktop.fwupd.downgrade-internal-trusted
org.freedesktop.fwupd.get-bios-settings
org.freedesktop.fwupd.modify-config
org.freedesktop.fwupd.modify-remote
org.freedesktop.fwupd.self-sign
org.freedesktop.fwupd.set-approved-firmware
org.freedesktop.fwupd.set-bios-settings
org.freedesktop.fwupd.update-hotplug
org.freedesktop.fwupd.update-hotplug-trusted
org.freedesktop.fwupd.update-internal
org.freedesktop.fwupd.update-internal-trusted
org.freedesktop.fwupd.verify-update
org.freedesktop.hostname1.get-description
org.freedesktop.hostname1.get-hardware-serial
org.freedesktop.hostname1.get-product-uuid
org.freedesktop.hostname1.set-hostname
org.freedesktop.hostname1.set-machine-info
org.freedesktop.hostname1.set-static-hostname
org.freedesktop.locale1.set-keyboard
org.freedesktop.locale1.set-locale
org.freedesktop.login1.attach-device
org.freedesktop.login1.chvt
org.freedesktop.login1.flush-devices
org.freedesktop.login1.halt
org.freedesktop.login1.halt-ignore-inhibit
org.freedesktop.login1.halt-multiple-sessions
org.freedesktop.login1.hibernate
org.freedesktop.login1.hibernate-ignore-inhibit
org.freedesktop.login1.hibernate-multiple-sessions
org.freedesktop.login1.inhibit-block-idle
org.freedesktop.login1.inhibit-block-shutdown
org.freedesktop.login1.inhibit-block-sleep
org.freedesktop.login1.inhibit-delay-shutdown
org.freedesktop.login1.inhibit-delay-sleep
org.freedesktop.login1.inhibit-handle-hibernate-key
org.freedesktop.login1.inhibit-handle-lid-switch
org.freedesktop.login1.inhibit-handle-power-key
org.freedesktop.login1.inhibit-handle-reboot-key
org.freedesktop.login1.inhibit-handle-suspend-key
org.freedesktop.login1.lock-sessions
org.freedesktop.login1.manage
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions
org.freedesktop.login1.reboot
org.freedesktop.login1.reboot-ignore-inhibit
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.set-reboot-parameter
org.freedesktop.login1.set-reboot-to-boot-loader-entry
org.freedesktop.login1.set-reboot-to-boot-loader-menu
org.freedesktop.login1.set-reboot-to-firmware-setup
org.freedesktop.login1.set-self-linger
org.freedesktop.login1.set-user-linger
org.freedesktop.login1.set-wall-message
org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-ignore-inhibit
org.freedesktop.login1.suspend-multiple-sessions
org.freedesktop.network1.forcerenew
org.freedesktop.network1.reconfigure
org.freedesktop.network1.reload
org.freedesktop.network1.renew
org.freedesktop.network1.revert-dns
org.freedesktop.network1.revert-ntp
org.freedesktop.network1.set-default-route
org.freedesktop.network1.set-dns-over-tls
org.freedesktop.network1.set-dns-servers
org.freedesktop.network1.set-dnssec
org.freedesktop.network1.set-dnssec-negative-trust-anchors
org.freedesktop.network1.set-domains
org.freedesktop.network1.set-llmnr
org.freedesktop.network1.set-mdns
org.freedesktop.network1.set-ntp-servers
org.freedesktop.packagekit.cancel-foreign
org.freedesktop.packagekit.clear-offline-update
org.freedesktop.packagekit.package-downgrade
org.freedesktop.packagekit.package-eula-accept
org.freedesktop.packagekit.package-install
org.freedesktop.packagekit.package-install-untrusted
org.freedesktop.packagekit.package-reinstall
org.freedesktop.packagekit.package-remove
org.freedesktop.packagekit.repair-system
org.freedesktop.packagekit.system-network-proxy-configure
org.freedesktop.packagekit.system-sources-configure
org.freedesktop.packagekit.system-sources-refresh
org.freedesktop.packagekit.system-trust-signing-key
org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.trigger-offline-update
org.freedesktop.packagekit.trigger-offline-upgrade
org.freedesktop.packagekit.upgrade-system
org.freedesktop.policykit.exec
org.freedesktop.realmd.configure-realm
org.freedesktop.realmd.deconfigure-realm
org.freedesktop.realmd.discover-realm
org.freedesktop.realmd.login-policy
org.freedesktop.systemd1.bypass-dump-ratelimit
org.freedesktop.systemd1.manage-unit-files
org.freedesktop.systemd1.manage-units
org.freedesktop.systemd1.reload-daemon
org.freedesktop.systemd1.reply-password
org.freedesktop.systemd1.set-environment
org.freedesktop.timedate1.set-local-rtc
org.freedesktop.timedate1.set-ntp
org.freedesktop.timedate1.set-time
org.freedesktop.timedate1.set-timezone
org.freedesktop.timesync1.set-runtime-servers
org.freedesktop.udisks2.ata-check-power
org.freedesktop.udisks2.ata-secure-erase
org.freedesktop.udisks2.ata-smart-enable-disable
org.freedesktop.udisks2.ata-smart-selftest
org.freedesktop.udisks2.ata-smart-simulate
org.freedesktop.udisks2.ata-smart-update
org.freedesktop.udisks2.ata-standby
org.freedesktop.udisks2.ata-standby-other-seat
org.freedesktop.udisks2.ata-standby-system
org.freedesktop.udisks2.cancel-job
org.freedesktop.udisks2.cancel-job-other-user
org.freedesktop.udisks2.eject-media
org.freedesktop.udisks2.eject-media-other-seat
org.freedesktop.udisks2.eject-media-system
org.freedesktop.udisks2.encrypted-change-passphrase
org.freedesktop.udisks2.encrypted-change-passphrase-system
org.freedesktop.udisks2.encrypted-lock-others
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-crypttab
org.freedesktop.udisks2.encrypted-unlock-other-seat
org.freedesktop.udisks2.encrypted-unlock-system
org.freedesktop.udisks2.filesystem-fstab
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat
org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.udisks2.filesystem-take-ownership
org.freedesktop.udisks2.filesystem-unmount-others
org.freedesktop.udisks2.loop-delete-others
org.freedesktop.udisks2.loop-modify-others
org.freedesktop.udisks2.loop-setup
org.freedesktop.udisks2.manage-md-raid
org.freedesktop.udisks2.manage-swapspace
org.freedesktop.udisks2.modify-device
org.freedesktop.udisks2.modify-device-other-seat
org.freedesktop.udisks2.modify-device-system
org.freedesktop.udisks2.modify-drive-settings
org.freedesktop.udisks2.modify-system-configuration
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system
org.freedesktop.udisks2.power-off-drive
org.freedesktop.udisks2.power-off-drive-other-seat
org.freedesktop.udisks2.power-off-drive-system
org.freedesktop.udisks2.read-system-configuration-secrets
org.freedesktop.udisks2.rescan
org.gnome.controlcenter.datetime.configure
org.gnome.controlcenter.remote-login-helper
org.gnome.controlcenter.user-accounts.administration
org.gnome.gnome-system-monitor.kill
org.gnome.gnome-system-monitor.renice
org.gnome.gparted
org.gnome.settings-daemon.plugins.power.backlight-helper
org.gnome.settings-daemon.plugins.wacom.wacom-led-helper
org.gnome.settings-daemon.plugins.wacom.wacom-oled-helper
org.gtk.vfs.file-operations
org.gtk.vfs.file-operations-helper
org.mate.cpufreqselector
org.mate.mate-system-monitor.kill
org.mate.mate-system-monitor.renice
org.mate.power.backlight-helper
org.mate.randr.install-system-wide
org.mate.settingsdaemon.datetimemechanism.configurehwclock
org.mate.settingsdaemon.datetimemechanism.settime
org.mate.settingsdaemon.datetimemechanism.settimezone
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings
org.x.xf86-video-intel.backlight-helper
nick@nickspanasonic:~$ 

There is something else pretty weird though - maybe related, maybe irrelevant:
I have never gotten sane-find-scanner to find this particular scanner (which is a multi function printer+scanner, and the usb device is setup in the lp group when plugged in), but I just discovered the weirdest thing with sane-find-scanner - as soon as I get permission to access the usb device the scanner is on, sane-find-scanner doesn't even report its existence. For example, here is what happens when giving myself access via setfacl:

Code: Select all

nick@nickspanasonic:~$ sane-find-scanner

  # sane-find-scanner will now attempt to detect your scanner. If the
  # result is different from what you expected, first make sure your
  # scanner is powered up and properly connected to your computer.

  # No SCSI scanners found. If you expected something different, make sure that
  # you have loaded a kernel SCSI driver for your SCSI adapter.

could not open USB device 0x0424/0x5744 at 002:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0003 at 002:001: Access denied (insufficient permissions)
could not open USB device 0x8087/0x0a2b at 001:005: Access denied (insufficient permissions)
could not open USB device 0x056a/0x5018 at 001:003: Access denied (insufficient permissions)
could not open USB device 0x04da/0x0f0b at 001:006: Access denied (insufficient permissions)
could not open USB device 0x045e/0x0745 at 001:004: Access denied (insufficient permissions)
could not open USB device 0x0424/0x2744 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
  # No USB scanners found. If you expected something different, make sure that
  # you have loaded a kernel driver for your USB host controller and have setup
  # the USB system correctly. See man sane-usb for details.

  # Not checking for parallel port scanners.

  # Most Scanners connected to the parallel port or other proprietary ports
  # can't be detected by this program.

  # You may want to run this program as root to find all devices. Once you
  # found the scanner devices, be sure to adjust access permissions as
  # necessary.
nick@nickspanasonic:~$ sudo /usr/bin/setfacl -m g:scanner:rw /dev/bus/usb/001/006
[sudo] password for nick: 
nick@nickspanasonic:~$ sane-find-scanner

  # sane-find-scanner will now attempt to detect your scanner. If the
  # result is different from what you expected, first make sure your
  # scanner is powered up and properly connected to your computer.

  # No SCSI scanners found. If you expected something different, make sure that
  # you have loaded a kernel SCSI driver for your SCSI adapter.

could not open USB device 0x0424/0x5744 at 002:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0003 at 002:001: Access denied (insufficient permissions)
could not open USB device 0x8087/0x0a2b at 001:005: Access denied (insufficient permissions)
could not open USB device 0x056a/0x5018 at 001:003: Access denied (insufficient permissions)
could not open USB device 0x045e/0x0745 at 001:004: Access denied (insufficient permissions)
could not open USB device 0x0424/0x2744 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
  # No USB scanners found. If you expected something different, make sure that
  # you have loaded a kernel driver for your USB host controller and have setup
  # the USB system correctly. See man sane-usb for details.

  # Not checking for parallel port scanners.

  # Most Scanners connected to the parallel port or other proprietary ports
  # can't be detected by this program.

  # You may want to run this program as root to find all devices. Once you
  # found the scanner devices, be sure to adjust access permissions as
  # necessary.
nick@nickspanasonic:~$ 

So after adding myself to the scanner group in ACL, "USB device 0x04da/0x0f0b at 001:006" no longer shows up in the list of usb devices sane-find-scanner reports. Any way of giving me access to /dev/bus/usb/001/006 causes this same behavior, which is totally "insane", since that is precisely when I am able to actually use the scanner, and sane-find-scanner doesn't even recognize the usb connection's existence!

Just for the record (and rather oddly to me), simple-scan recognizes the scanner if I just add myself to the lp group (and, as noted above sane-find-scanner then fails to list it). lp is the group the usb device the scanner is assigned to when plugged in:

Code: Select all

nick@nickspanasonic:~$ ls -al /dev/bus/usb/001/006
crw-rw-r--+ 1 root lp 189, 5 Apr 21 11:14 /dev/bus/usb/001/006
nick@nickspanasonic:~$

This is probably the most convenient hack of a solution, though probably not advisable, and certainly not kosher.
Other ways I have checked that get it to work, besides using setfacl, are changing the usb device group to scanner with chown, or granting world access to it with chmod, but clearly neither of those are any more useful than the setfacl approach, and certainly not advisable anyway.

I have no idea if any of this brings us any closer to a solution, but this is where I have gotten to now - maybe just add myself to the lp group?

[CwF]

I have no idea if any of this brings us any closer to a solution

It's beyond me, I'm not so familiar with the category. The last scanner I touched needed a 25>50 pin adapter, that was adapted from a 68 pin. I think things have changed!

It's here, let's hope someone is more familiar and runs across this.

I thought to check the polkit side of things since USBView uses it to see what it can. Maybe check what it says.

Is it something that could be done with a script, attached to a button or user menu for a gui, where you could slip a sudo or doas into the script?

since that is precisely when I am able to actually use the scanner, and sane-find-scanner doesn't even recognize the usb connection's existence!

well, another thought is the driver, and/or udev definitions are incomplete somehow. Any working examples you've found on other distro's?

[gurfle]

Thanks again CwF for all your suggestions.

This is what I am going to have to live with for now, and is really as conveient as can be, even if rather peculiar, and possibly not totally advisable:

Add my userid to the lp group

Here is one other strange thing that may offer clues as to what is so peculiar about this whole affair:

I can even get the scanner to function flawlessly after clearing out all libsane rules files from
/usr/lib/udev/rules.d and
/etc/udev/rules.d

I am going to have to bail on this question for a few days (will not have the scanner to play with anyway), but will definitely check to see if anyone comes up with some thoughts as soon as I return.

Thanks once again for all the ideas and help. At least everything is quite functional for me now, even if a bit whacky

[gurfle]

In summary (and this may only apply to my scanner, which is a multi-function (printer+scanner+copier+fax) Panasonic KX-MB1520, and for which the necessary drivers are here):

In spite of needing to do so in Debian 9.2 (Stretch), from which I just upgraded to 12.5 (Bookworm), and the instructions on the Panasonic website continuing to make claims to this effect, no rules are needed in
/usr/lib/udev/rules.d and
/etc/udev/rules.d

Instead all that is needed after installing the relevant driver is to add your uderid to the lp group, since that is the group udev assigns to the multifunction device. Since it looks like I got already assigned to the scanner group automatically, if the device were just a scanner (i.e. not also a printer) udev may assign it to the scanner group automatically when connected to a usbport, and the step of adding the userid to the lp group not necessary (or even do anything anyway).

My posts here are really just a followup to the topic I started here when trying to get this same device to scan in Debian Squeeze through Stretch, and which I will now update with a reference to these posts for Bookworm.