## Describe the bug
I have a USB scanner (Fujitsu S1500) attached to a NixOS …server, and I've configured `services.saned` to use this scanner over the network. However, after configuring the saned service, the scanner could not be found over the network, nor locally for users in the `scanner` group.
1. `scanimage -L` on the localhost as `root` user _can_ find the scanner
2. `scanimage -L` on the localhost as my user (in the `scanner` group) cannot find the scanner
3. `sudo -u scanner scanimage -L` on the localhost as the dedicated `scanner` users cannot find the scanner
4. `scanimage -L` on a remote host cannot find the scanner (the host is configured correctly to search the scanner server)
Note that the systemd service is [configured](https://github.com/NixOS/nixpkgs/blob/8d02c5670fe097962bad6f2c305a670a0e263fda/nixos/modules/services/hardware/sane.nix#L208-L212) to run with user/group `scanner` (case 3), so the service itself is unable to access the scanner, which explains why remote access fails.
I believe it's a device file permission issue, given the examples above. This server was previously a Debian host that I just converted to NixOS and the same configuration was working there without any issue. In the Context section below I've included a possible solution that addresses the permission problem.
## Steps To Reproduce
Note that there are also some firewall problems which I'll add as a separate issue, which only effect remote access of course. Local access is enough to resolve the issue, but of wanting to test the network access I'd disable the firewall.
Steps to reproduce the behavior:
1. Connect a USB scanner that is supported by sane
2. Enable and configure `services.saned` on a remote server with `extraConfig` allowing the local network
3. Enable and configure `hardware.sane` on a client with `netConf` set to the remote server
4. Run `scanimage -L` from the client and observe it cannot find any scanners. Watching `journalctl` on the server for `saned@` logs will show the client connecting
5. Run `scanimage -L` locally from the server with a user in the `scanner` group, observe it cannot find any scanners
6. Run as root or `sudo scanimage -L` and observe the the root user can find the scanner
Here are snippets of the configurations:
Server:
```nix
{
hardware.sane = {
enable = true;
disabledDefaultBackends = [
"net"
"escl"
];
};
services.saned = {
enable = true;
extraConfig = ''
192.168.1.0/24
'';
};
}
```
<details><summary>Here are examples of the commands showing the results above.</summary>
<p>
```console
> lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 001 Device 023: ID 04c5:11a2 Fujitsu, Ltd ScanSnap S1500
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> ls -l /dev/bus/usb/*/*
crw-rw-r-- 1 root root 189, 0 Dec 3 17:44 /dev/bus/usb/001/001
crw-rw-r-- 1 root root 189, 1 Dec 3 17:44 /dev/bus/usb/001/002
crw-rw-r-- 1 root root 189, 22 Dec 4 22:39 /dev/bus/usb/001/023
crw-rw-r-- 1 root root 189, 128 Dec 3 17:44 /dev/bus/usb/002/001
> getfacl /dev/bus/usb/001/023
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/023
# owner: root
# group: root
user::rw-
group::rw-
other::r--
> groups
myuser wheel lp dialout scanner
> scanimage -L --verbose
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).
sane-find-scanner
# sane-find-scanner will now attempt to detect your scanner. If the
# result is different from what you expected, first make sure your
# scanner is powered up and properly connected to your computer.
# No SCSI scanners found. If you expected something different, make sure that
# you have loaded a kernel SCSI driver for your SCSI adapter.
# Also you need support for SCSI Generic (sg) in your operating system.
# If using Linux, try "modprobe sg".
could not open USB device 0x1d6b/0x0003 at 002:001: Access denied (insufficient permissions)
could not open USB device 0x04c5/0x11a2 at 001:023: Access denied (insufficient permissions)
could not open USB device 0x0a12/0x0001 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
# No USB scanners found. If you expected something different, make sure that
# you have loaded a kernel driver for your USB host controller and have setup
# the USB system correctly. See man sane-usb for details.
# Not checking for parallel port scanners.
# Most Scanners connected to the parallel port or other proprietary ports
# can't be detected by this program.
# You may want to run this program as root to find all devices. Once you
# found the scanner devices, be sure to adjust access permissions as
# necessary.
> sudo scanimage -L
device `fujitsu:ScanSnap S1500:44380' is a FUJITSU ScanSnap S1500 scanner
> sudo sane-find-scanner
# sane-find-scanner will now attempt to detect your scanner. If the
# result is different from what you expected, first make sure your
# scanner is powered up and properly connected to your computer.
# No SCSI scanners found. If you expected something different, make sure that
# you have loaded a kernel SCSI driver for your SCSI adapter.
# Also you need support for SCSI Generic (sg) in your operating system.
# If using Linux, try "modprobe sg".
could not fetch string descriptor: Pipe error
could not fetch string descriptor: Pipe error
found possible USB scanner (vendor=0x04c5, product=0x11a2) at libusb:001:023
# Your USB scanner was (probably) detected. It may or may not be supported by
# SANE. Try scanimage -L and read the backend's manpage.
# Not checking for parallel port scanners.
# Most Scanners connected to the parallel port or other proprietary ports
# can't be detected by this program.
> id scanner
uid=59(scanner) gid=59(scanner) groups=59(scanner),20(lp),989(avahi)
> sudo -u scanner scanimage -L
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).
> sudo -u scanner sane-find-scanner
# sane-find-scanner will now attempt to detect your scanner. If the
# result is different from what you expected, first make sure your
# scanner is powered up and properly connected to your computer.
# No SCSI scanners found. If you expected something different, make sure that
# you have loaded a kernel SCSI driver for your SCSI adapter.
# Also you need support for SCSI Generic (sg) in your operating system.
# If using Linux, try "modprobe sg".
could not open USB device 0x1d6b/0x0003 at 002:001: Access denied (insufficient permissions)
could not open USB device 0x04c5/0x11a2 at 001:023: Access denied (insufficient permissions)
could not open USB device 0x0a12/0x0001 at 001:002: Access denied (insufficient permissions)
could not open USB device 0x1d6b/0x0002 at 001:001: Access denied (insufficient permissions)
# No USB scanners found. If you expected something different, make sure that
# you have loaded a kernel driver for your USB host controller and have setup
# the USB system correctly. See man sane-usb for details.
# Not checking for parallel port scanners.
# Most Scanners connected to the parallel port or other proprietary ports
# can't be detected by this program.
# You may want to run this program as root to find all devices. Once you
# found the scanner devices, be sure to adjust access permissions as
# necessary.
```
</p>
</details>
## Expected behavior
1. Enabling and configuring `hardware.sane` should allow a local user in the `scanner` group to see a locally connected USB scanner
2. Enabling and configuring `services.saned` on a host should allow its local USB scanner to be remotely accessible
## Additional context
As I mentioned previously, this looks like a permission problem. The USB device paths are all owned by `root:root` with no user write access. I noticed there were previous issues about permissions that caused problems with printers, so `chmod`ing the device paths as `scanner:scanner` was removed from the udev rules. However, the replacement looks to be to use ACLs instead. I compared this to my Debian configuration, and noticed it packages an extra udev rule which runs `setfacl` on the device path which gives the `scanner` user write access and ability to find the scanner:
https://sources.debian.org/src/sane-backends/1.3.0-1/debian/99-libsane1.rules/
```text
ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
```
sane-desc from sane-backends also [adds the same rule](https://gitlab.com/sane-project/backends/-/blob/c43485dd2170c5691f92cf2e6f13c60f611e0def/tools/sane-desc.c?page=4#L3634-3636) in its `udev+acl` rule generator, but this seems to be out of favor as the hwdb config is preferred (and there's no hwdb+acl or standalone acl generator). So I assume this is why Debian shipped their own rules file. Presumably this doesn't conflict with the mentioned printer permission problems.
I copied the rule verbatim into my configuration, this solved all the problems listed above:
```nix
{
services.udev.extraRules = ''
ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="${pkgs.acl}/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
'';
}
```
After doing so the device path is still owned by `root:root` but has added ACLs that allow access from the scanner user:
```console
> lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 001 Device 024: ID 04c5:11a2 Fujitsu, Ltd ScanSnap S1500
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> getfacl /dev/bus/usb/001/024
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/024
# owner: root
# group: root
user::rw-
group::rw-
group:scanner:rw-
mask::rw-
other::r--
> sudo -u scanner scanimage -L
device `fujitsu:ScanSnap S1500:44380' is a FUJITSU ScanSnap S1500 scanner
```
Now any `scanner` group users and remote clients are able to find and use the scanner.
I don't know if there are any downsides to this approach, but it is the Debian solution.
## Metadata
Server:
- system: `"x86_64-linux"`
- host os: `Linux 6.6.63, NixOS, 25.05 (Warbler), 25.05.20241203.55d15ad`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.24.10`
- nixpkgs: `/nix/store/vqhkmj60457j8nrw9vb94ln40rkic1p6-source`
Client:
- system: `"x86_64-linux"`
- host os: `Linux 6.12.1, NixOS, 25.05 (Warbler), 25.05.20241203.55d15ad`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.24.10`
- nixpkgs: `/nix/store/vqhkmj60457j8nrw9vb94ln40rkic1p6-source`
## Notify maintainers
@symphorien
---
Note for maintainers: Please tag this issue in your PR.
---
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc