HPLIP device permissions with ConsoleKit

preferences-systemFedora 8 will use ConsoleKit instead of pam_console for granting console users access to attached devices. Here is how ConsoleKit is used in the Fedora HPLIP package to grant access to both console users and the system print spooler.

With HPLIP in Fedora 7 and earlier there was a system process running in the background for I/O access to HP printers. When a job is printed, CUPS runs the HPLIP backend. The backend hands the job off to the HPLIP daemon, which deals with the actual device access. Under this scheme, permissions were easy: the device nodes just had to be accessible to the HPLIP daemon.

The version of HPLIP to be included in Fedora 8 no longer has this daemon. In its place a shared library is provided, including routines to access the HP devices directly. Now the device nodes need to be accessible both to the print spooler and to all users logged in at the console. (There may be several users logged in at the console because of fast user-switching.)

HPLIP provides some udev rules for setting the permissions on the USB device nodes, but in the latest version (2.7.9) they are too permissive. They allow world read/write access. Anyone logged into the machine, even remote users with no login at the console, can access attached devices. For Fedora we ship a modified set of rules to prevent this. The important part is that the device nodes should have group read/write access and have group ownership by “lp”. This allows the CUPS backend to do its job.

The remaining part is to grant access to console users, and this is where ConsoleKit comes in. Unfortunately this doesn’t seem to be documented very clearly, and it has taken some trial and error to get this working.

A HAL configuration file is shipped with the package: hplip.fdi. The way it works is to identify HP devices and mark them, then to add special keys to those marked devices: access_control.file and access_control.type. It is these keys that ConsoleKit uses to determine correct access controls for devices.

Here, then, is the end result. The device node has read/write permissions for users with group lp, and has an ACL for each console user granting read/write permissions as well.

$ ls -l /dev/bus/usb/001/004
crw-rw-r--+ 1 root lp 189, 3 2007-10-04 09:30 /dev/bus/usb/001/004
$ getfacl /dev/bus/usb/001/004
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/004
# owner: root
# group: lp
user::rw-
user:tim:rw-
group::rw-
mask::rw-
other::r--

Comments are closed.