pyrox.dev / nixpkgs
lol
fork atom

nixos/sane: ensure saned can access usb scanners

For a user to be able to scan with an USB scanner, it must have write access
to the corresponding file in /dev/bus/usb. Enabling the sane module
adds SANE's upstream hwdb file and udev rules to udev search path. The
hwdb file tags the scanner as `libsane_matched` and a builtin (from
systemd upstream) udev rule marks all `libsane_matched` devices as
uaccess. When a physical user logins, logind adds an acl allowing them
to write to the device.

Unfortunately, saned is a daemon. Therefore, uaccess has no effect for
it, and if no other udev rule changes the device to belong to the
scanner group or the lp group, (there are such rules, but they are not
complete enough, in that some scanners known by SANE rules are not known
by these rules), it will not be able to write to the scanner.

This solves this by adding a udev rule so that all libsane_matched
devices have an acl rules so that users in the scanner group can write.

A similar rule is present on Arch and Debian at least.

Note that we don't chgroup the file instead, because this posed problems
in the past: scanners are often also printers, and a device's group
cannot be simultaneously lp and scanner.

Fixes: https://github.com/NixOS/nixpkgs/issues/361981

Guillaume Girol 7d0c25dc d3c42f18

options
unified split
Changed files
+6
nixos
modules
services
hardware
sane.nix
+6
nixos/modules/services/hardware/sane.nix 
···

       
184

       
 

       
      environment.etc."sane-config".source = config.hardware.sane.configDir;


     

       
185

       
 

       
      environment.etc."sane-libs".source = "${saneConfig}/lib/sane";


     

       
186

       
 

       
      services.udev.packages = backends;


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
187

       
 

       



     

       
188

       
 

       
      users.groups.scanner.gid = config.ids.gids.scanner;


     

       
189

       
 

       
      networking.firewall.allowedUDPPorts = lib.mkIf config.hardware.sane.openFirewall [ 8612 ];


     
···

       
184

       
 

       
      environment.etc."sane-config".source = config.hardware.sane.configDir;


     

       
185

       
 

       
      environment.etc."sane-libs".source = "${saneConfig}/lib/sane";


     

       
186

       
 

       
      services.udev.packages = backends;


     

       
187

       
+

       
      # sane sets up udev rules that tag scanners with `uaccess`. This way, physically logged in users


     

       
188

       
+

       
      # can access them without belonging to the `scanner` group. However, the `scanner` user used by saned


     

       
189

       
+

       
      # does not have a real logind seat, so `uaccess` is not enough.


     

       
190

       
+

       
      services.udev.extraRules = ''


     

       
191

       
+

       
        ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="${pkgs.acl}/bin/setfacl -m g:scanner:rw $env{DEVNAME}"


     

       
192

       
+

       
      '';


     

       
193

       
 

       



     

       
194

       
 

       
      users.groups.scanner.gid = config.ids.gids.scanner;


     

       
195

       
 

       
      networking.firewall.allowedUDPPorts = lib.mkIf config.hardware.sane.openFirewall [ 8612 ];