Access scanner by user requires root authentication

Hello,

I have a Epson perfection V30 scanner (usb) and since some times when I want to use “Image scan for linux” (iscan) it asks root password with this title “Authentication is required to manage system services or other units”, in the details I have
ident : org.freedesktop.systemd1.manage-units
Supplier: The systemd Project
polkit.subject.id:6001
polkit.caller-pid:6001

 ps -ef | grep 6001
philippe  6001  2265  0 08:49 ?        00:00:00 /usr/bin/iscan 

After thae authentication, if I close the iscan program and reload it the authentication is never asked again. Seems that the authentication is only asked by the first use of iscan after a reboot.
Scanner data

hpprol2:~ # lsusb | grep Perfection
Bus 001 Device 005: ID 04b8:0131 Seiko Epson Corp. GT-F720 [GT-S620/Perfection V30/V300 Photo]

philippe@hpprol2:~>sudo getfacl /dev/bus/usb/001/005
[sudo] Root password : 
# file: dev/bus/usb/001/005
# owner: root
# group: root
user::rw-
group::rw-
other::r--

After authentication I have


hpprol2:~> sudo getfacl /dev/bus/usb/001/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/005
# owner: root
# group: lp
user::rw-
**user:philippe:rw-**
group::rw-
mask::rw-
other::r--

I found this document SDB:Configuring Scanners - openSUSE Wiki (maybe obsolete for tumbleweed?)

USB scanners and scanner units in USB multifunction devices (printer/scanner/copier) get normal-user read/write access via udev and for the printer unit in a USB multifunction device it is sufficient that the device node has group “lp” and group read/write access (also via udev) because the CUPS backend runs as user “lp” that is in group “lp”. (CUPS backends and SANE backends are different things. For CUPS backends see “What is a CUPS backend and how does it work” in SDB:CUPS in a Nutshell.)

Therefore USB scanners and USB multifunction devices get “rw-rw-r-- root lp” set for the device node which happens via /etc/udev/rules.d/55-libsane.rules (from sane-backends RPM) and for HP all-in-one devices additionally via /usr/lib/udev/rules.d/56-hpmud.rules (from the hplip RPM).

Both set ENV{libsane_matched}=“yes” and that one triggers in /usr/lib/udev/rules.d/70-uaccess.rules (from the systemd RPM) that TAG+=“uaccess” is set which triggers in /usr/lib/udev/rules.d/73-seat-late.rules (from the systemd RPM) to RUN{builtin}+=“uaccess” that manages device node user ACLs which finally results the ‘+’ in “rw-rw-r–+ root lp” (i.e. an ACL setting) for the device node.

I don’t understand why the authentication is needed;
I checked the different udev rules (now in /usr/lib/udev/rules.d) and all seems correct in the rules;

 cat 55-libsane.rules
# Epson GT-F720 | Epson GT-S620 | Epson Perfection V30
# Epson Perfection V300 Photo
ATTR{idVendor}=="04b8", ATTR{idProduct}=="0131", MODE="0664", GROUP="lp", ENV{libsane_matched}="yes"

cat 70-uaccesss.rules
# SCSI and USB scanners
ENV{libsane_matched}=="yes", TAG+="uaccess"...

Journalctl -b for the user


mars 25 08:49:26 hpprol2 iscan[6001]: io/hpmud/model.c 532: no hp_HP_LaserJet_200_color_M251n attributes found in /usr/share/hplip/data/models/models.dat
mars 25 08:49:26 hpprol2 iscan[6001]: io/hpmud/model.c 543: no hp_HP_LaserJet_200_color_M251n attributes found in /usr/share/hplip/data/models/unreleased/unreleased.dat
mars 25 08:50:51 hpprol2 iscan[6001]: protocol/discovery/avahiDiscovery.c 472: Failed to create client object: Daemon not running
mars 25 08:51:20 hpprol2 systemd[2061]: app-iscan-b59055f3d3214b06a9674bf9d28ff0e6.scope: Consumed 1.092s CPU time.

My user is member of group lp. Why does iscan look to the printer HP_LaserJet_200_color_M251n (network printer with no scanner)?
More strange if I cancel the authentication request the iscan program starts and I can scan a page without problem.:open_mouth:
Journalctl with root shows


Mar 25 08:50:51 hpprol2 polkitd[755]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.102 [/usr/bin/iscan] (owned by unix-user:philippe)

Did I miss something or is it a bug?
Many thanks in advance
Philippe

I never get asked for credentials:

**erlangen:~ #** zypper se -is imagescan 
Loading repository data... 
Reading installed packages... 

S  | Name                         | Type    | Version                    | Arch   | Repository 
---+------------------------------+---------+----------------------------+--------+----------- 
i+ | imagescan                    | package | 3.65.0-1epson4opensuse15.2 | x86_64 | myrepo 
i+ | imagescan-plugin-gt-s650     | package | 1.0.3-1epson4opensuse15.2  | x86_64 | myrepo 
i+ | imagescan-plugin-networkscan | package | 1.1.4-1epson4opensuse15.2  | x86_64 | myrepo 
i+ | imagescan-plugin-ocr-engine  | package | 1.0.3-1epson4opensuse15.2  | x86_64 | myrepo 
**erlangen:~ #** lsusb -s 001:008             
Bus 001 Device 008: ID 04b8:013d Seiko Epson Corp. Epson Perfection V39 
**erlangen:~ #** getfacl /dev/bus/usb/001/008 
getfacl: Removing leading '/' from absolute path names 
# file: dev/bus/usb/001/008 
# owner: root 
# group: root 
user::rw- 
user:karl:rw- 
group::rw- 
mask::rw- 
other::rw- 

**erlangen:~ #**

Well, I guess it has got to do with this, before authentication:

hpprol2:~ # lsusb | grep Perfection
Bus 001 Device 005: ID 04b8:0131 Seiko Epson Corp. GT-F720 [GT-S620/Perfection V30/V300 Photo]

philippe@hpprol2:~>sudo getfacl /dev/bus/usb/001/005
[sudo] Root password :

file: dev/bus/usb/001/005

owner: root

group: root

user::rw-
group::rw-other::r–

Group is root and others can only read. Similar to Karl’s, it’s working here with others having write access, too:

**server****:~ #** getfacl /dev/bus/usb/002/006 
getfacl: Removing leading '/' from absolute path names 
# file: dev/bus/usb/002/006 
# owner: root 
# group: lp 
user::rwx 
user:sddm:rw- 
group::rwx 
mask::rwx 
**other::rwx **
**server****:~ #**

How did you set it up? I simply used YaST without any additional tweeking. And I have given up adding my users to group lp after abandoning my old parallel scanners and printers lacking the need.

Hello Karl,
Thanks for your answer. I did more testing today and it seems that this is related to systemd and HPLIP¨:
I have the next printers defined

# lpstat -t
scheduler is running
system default destination: HP200_PS
device for HP200_HPLIP: hp:/net/HP_LaserJet_200_color_M251n?ip=192.168.4.50
device for HP200_PCL: dnssd://HP%20LaserJet%20200%20color%20M251n%20(7F751E)._ipp._tcp.local/?uuid=434e4631-4334-3932-3030-a0d3c17f751e
device for HP200_PS: lpd://192.168.4.50/LPT1
...

I think that iscan try to connect to the printer (that I defined long time ago with HPLIP) using avahi and it is the start of avahi-daemon which requires authentication.
I see the following before authentication


hpprol2:~ # systemctl status avahi-daemon
○ avahi-daemon.service - Avahi mDNS/DNS-SD Stack
     Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
TriggeredBy: ○ avahi-daemon.socket
hpprol2:~ # systemctl status avahi-daemon.socket
○ avahi-daemon.socket - Avahi mDNS/DNS-SD Stack Activation Socket
     Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.socket; disabled; vendor preset: disabled)
     Active: inactive (dead)
   Triggers: ● avahi-daemon.service
     Listen: /run/avahi-daemon/socket (Stream)

==> avahi-daemon is not running
after authentication

hpprol2:~ # systemctl status avahi-daemon
* avahi-daemon.service - Avahi mDNS/DNS-SD Stack
     Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; disabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-03-25 17:32:42 CET; 4h 31min ago
TriggeredBy: * avahi-daemon.socket
   Main PID: 23539 (avahi-daemon)
     Status: "Server startup complete. Host name is hpprol2.local. Local service cookie is 3722116536."
      Tasks: 1 (limit: 4915)
        CPU: 87ms
     CGroup: /system.slice/avahi-daemon.service
             `-23539 "avahi-daemon: running [hpprol2.local]"

Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: New relevant interface lo.IPv4 for mDNS.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Network interface enumeration completed.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 192.168.4.1 on vlan4.IPv4.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 192.168.2.1 on vlan2.IPv4.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 192.168.3.1 on vlan3.IPv4.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 192.168.1.1 on vlan1.IPv4.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 192.168.1.120 on br0.IPv4.
Mar 25 17:32:42 hpprol2 avahi-daemon[23539]: Registering new address record for 127.0.0.1 on lo.IPv4.
Mar 25 17:32:43 hpprol2 avahi-daemon[23539]: Server startup complete. Host name is hpprol2.local. Local service cookie is 3722116536.

If I stop avahi-daemon then iscan asks again for authentication.

I can start avahi-daemon at boot or let it start manually by iscan. Seems that no other programs that i use require avahi-daemon
Regards
Philipppe

Did you install their package for the Perfection V30?

karl@erlangen:~> ll -rt Downloads/iscan-gt-f720-bundle-2.30.4.x64.rpm.tar.gz 
-rw-r--r-- 1 karl users 618057 26. Mär 05:36 Downloads/iscan-gt-f720-bundle-2.30.4.x64.rpm.tar.gz
karl@erlangen:~> 

This epson V30 scanner use epson’s epkowa proprietary driver and is controlled by iscan from packman or from epson site


hpprol2:~ # scanimage -L
device `epkowa:interpreter:001:005' is a Epson Perfection V30 flatbed scanner

hpprol2:~ # zypper se  -v esci-interpreter-gt-f720
Loading repository data...
Reading installed packages...

S  | Name                     | Type    | Version | Arch   | Repository
---+--------------------------+---------+---------+--------+------------------
i+ | esci-interpreter-gt-f720 | package | 0.1.1-2 | x86_64 |  Epson
    name: esci-interpreter-gt-f720

hpprol2:~ # zypper se  -iv iscan
Loading repository data...
Reading installed packages...

S  | Name              | Type       | Version      | Arch   | Repository
---+-------------------+------------+--------------+--------+-----------
i+ | iscan             | package    | 2.30.4-5.278 | x86_64 | Packman
    name: iscan
i+ | iscan-data        | package    | 1.39.1-5.278 | noarch | Packman
    name: iscan-data

As far as I see the esci-interpreter can also been downloaded from packman as this binary is included in the iscan-plugin package from packman but I don’t think that they are different.
Regards
Philippe

I guess one pragmatic option would be to have avahi-daemon.service enabled so that it is active from boot?

They are different:

karl@erlangen:~/Downloads/iscan-bundle-2.30.4.x64.rpm> ./install.sh --dry-run 
zypper --non-interactive --no-gpg-checks install ./core/iscan-2.30.4-2.x86_64.rpm ./data/iscan-data-1.39.2-1.noarch.rpm ./plugins/iscan-network-nt-1.1.2-1.x86_64.rpm 
karl@erlangen:~/Downloads/iscan-bundle-2.30.4.x64.rpm> 

avahi-daemon.socket may be enough. If yes, it would avoid having daemon running until someone actually queries it.

Hello Karl,
I removed the old esci-interpreter-gt-f720 from epson and installed iscan-plugin and iscan-firmware from packman. But after reboot iscan cannot start giving a warning “a command cannot be sent to the scanner”. >:(
I removed the iscan-plugin and iscan-firmware and reinstalled the original epson esci-interpreter from epson and the iscan progam started without problem.

Regards
Philippe

Hello,

I enabled and started avahi-daemon.socket but when starting iscan, it asks for authentication.

Regards
Philippe

You may try these form epson website:

karl@erlangen:~/Downloads/iscan-gt-f720-bundle-2.30.4.x64.rpm> ./install.sh --dry-run
zypper --non-interactive --no-gpg-checks install ./core/iscan-2.30.4-2.x86_64.rpm ./data/iscan-data-1.39.2-1.noarch.rpm ./plugins/esci-interpreter-gt-f720-1.0.0-1.x86_64.rpm 
karl@erlangen:~/Downloads/iscan-gt-f720-bundle-2.30.4.x64.rpm> 

The esci-interpreter-f720-1.0.0-1 from epson site works. But asks also authentication.

Not a big problem: I’ll enable avahi-daemon.service

Regards
Philippe