Friday, August 8, 2014

[solved] yet another CUPS related failure -- interference with xsane.

We've all encountered the problem with Xsane where it fails to detect a properly attached USB scanner. Many times this is due to an error in permissions around the scanning group -- the scanner will only be detected as root. Here's a variant: a detection fail in both root or user modes due to CUPS. In my system, if CUPS is running, the scanner cannot be detected in user or root. No informative error message explaining this will be displayed.

There are many ways to determine if the CUPS daemon is running, most involving root. The fastest way is to remember "I just used the printer", but another way from user-space is:
$ lpstat
lpstat: Bad file descriptor
lpstat returns this message when CUPS is not running, and will return a blank line if CUPS is running.

Depending on one's distribution, disable CUPS with...
# systemctl stop cups
Once CUPS is deactivated, Xsane should again detect the scanner in user mode if permissions are properly set.

CUPS accesses stand-alone boxes through loopback privileges into localhost and the CUPS daemon runs under root. Looping-back has associated permission locks which apparently block USB detection, not sure. Anyway, turn CUPS off and scan normally.

Editorial: Since the majority of Linux users are stand-alone users with non-network printers, I consider it a conceit of CUPS developers not to have created a simple stand-alone variant which doesn't need the spaghetti or security issues of loopback privileges. When one considers that the CUPS code is 20 years mature, that its PPD's are actively updated by others, and that only a few lines of code are likely necessary to access USB ports, it becomes annoying. Currently, many CUPS installations require more manipulation of groups than most Linux users possess. More importantly are the security liabilities created by loopback access. Few advanced users, and probably no average users, possess the significant PAM, LDAP, port scrambling, ipchains, etc, knowledge to be certain they've closed less obvious loopback security holes. By the normal desire of Linux users to print, and the lack of any direct stand-alone solution, it's possible many of our systems are quietly compromised.

No comments: