kopia lustrzana https://gitlab.com/sane-project/backends
Merge branch 'saned-doc' into 'master'
doc/saned: Improve service configuration details and security warnings See merge request sane-project/backends!717666-epsonds-has-issues-with-saned
commit
536e486ff7
14
PROBLEMS
14
PROBLEMS
|
@ -1,5 +1,3 @@
|
|||
Last update: 2006-01-05
|
||||
|
||||
- Avoiding damage on flatbed scanners
|
||||
|
||||
Most flatbed scanners have no protection against exceeding the physical scan
|
||||
|
@ -15,8 +13,10 @@ Last update: 2006-01-05
|
|||
|
||||
- Security problems with saned (SANE network scanning daemon)
|
||||
|
||||
saned is not intended to be exposed to the internet or other non-trusted
|
||||
networks. Make sure that access is limited by tcpwrappers and/or a firewall
|
||||
setup. Don't depend only on saned's own authentication. Don't run saned
|
||||
as root if it's not necessary. And do not install saned as setuid root.
|
||||
Read man saned(8) for details.
|
||||
saned does not provide confidentiality when communicating with clients.
|
||||
If saned is exposed directly on the network, other users may be able to
|
||||
intercept scanned images, or learn passwords for connecting to saned,
|
||||
with little effort. Client systems should connect to saned through a
|
||||
secure tunnel to the server instead.
|
||||
|
||||
saned is not a trusted program and should not run with root privileges.
|
||||
|
|
|
@ -130,6 +130,7 @@ BEDOCS += plustek/FAQ \
|
|||
plustek/Plustek-PARPORT.changes plustek/Plustek-PARPORT.txt \
|
||||
plustek/Plustek-USB-TODO.txt plustek/Plustek-USB.changes \
|
||||
plustek/Plustek-USB.txt
|
||||
BEDOCS += saned/saned.install.md
|
||||
BEDOCS += sceptre/s1200.txt
|
||||
BEDOCS += teco/teco1.txt teco/teco2.txt teco/teco3.txt
|
||||
BEDOCS += u12/U12.changes u12/U12.todo
|
||||
|
|
321
doc/saned.man
321
doc/saned.man
|
@ -125,31 +125,8 @@ Default value is 1MB.
|
|||
.TP
|
||||
.BR \-h ", " \-\-help
|
||||
displays a short help message.
|
||||
.PP
|
||||
If
|
||||
.B saned
|
||||
is run from other programs such as
|
||||
.BR inetd (8),
|
||||
.BR xinetd (8)
|
||||
and
|
||||
.BR systemd (1),
|
||||
check that program's documentation on how to pass command-line options.
|
||||
|
||||
.SH CONFIGURATION
|
||||
First and foremost:
|
||||
.B saned
|
||||
is not intended to be exposed to the internet or other non-trusted
|
||||
networks. Make sure that access is limited by tcpwrappers and/or a firewall
|
||||
setup. Don't depend only on
|
||||
.BR saned 's
|
||||
own authentication. Don't run
|
||||
.B saned
|
||||
as root if it's not necessary. And do
|
||||
.B not
|
||||
install
|
||||
.B saned
|
||||
as setuid root.
|
||||
.PP
|
||||
The
|
||||
.I saned.conf
|
||||
configuration file contains both options for the daemon and the access
|
||||
|
@ -207,282 +184,6 @@ scan\-client.somedomain.firm
|
|||
.PP
|
||||
The case of the host names does not matter, so AHost.COM is considered
|
||||
identical to ahost.com.
|
||||
.SH SERVER DAEMON CONFIGURATION
|
||||
For
|
||||
.B saned
|
||||
to work properly in its default mode of operation, it is also necessary to
|
||||
add the appropriate configuration for
|
||||
.BR xinetd (8),
|
||||
.BR inetd (8)
|
||||
or
|
||||
.BR systemd (1)
|
||||
(see below).
|
||||
Note that your
|
||||
.BR inetd (8)
|
||||
must support IPv6 if you want to connect to
|
||||
.B saned
|
||||
over IPv6;
|
||||
.BR xinetd (8),
|
||||
.BR openbsd-inetd (8)
|
||||
and
|
||||
.BR systemd (1)
|
||||
are known to support IPv6, check the documentation for your
|
||||
.BR inetd (8)
|
||||
daemon.
|
||||
.PP
|
||||
In the sections below the configuration for
|
||||
.BR inetd (8),
|
||||
.BR xinetd (8)
|
||||
and
|
||||
.BR systemd (1)
|
||||
are described in more detail.
|
||||
.PP
|
||||
For the configurations below it is necessary to add a line of the following
|
||||
form to
|
||||
.IR /etc/services :
|
||||
.PP
|
||||
.RS
|
||||
sane\-port 6566/tcp # SANE network scanner daemon
|
||||
.RE
|
||||
.PP
|
||||
The official IANA short name for port 6566 is "sane\-port". The older name
|
||||
"sane" is now deprecated.
|
||||
|
||||
.SH INETD CONFIGURATION
|
||||
It is required to add a single line to the
|
||||
.BR inetd (8)
|
||||
configuration file
|
||||
.IR (/etc/inetd.conf)
|
||||
.
|
||||
.PP
|
||||
The configuration line normally looks like this:
|
||||
.PP
|
||||
.RS
|
||||
sane\-port stream tcp nowait saned.saned @SBINDIR@/saned saned
|
||||
.RE
|
||||
.PP
|
||||
However, if your system uses
|
||||
.BR tcpd (8)
|
||||
for additional security screening, you may want to disable
|
||||
.B saned
|
||||
access control by putting ``+'' in
|
||||
.IR saned.conf
|
||||
and use a line of the following form in
|
||||
.IR /etc/inetd.conf
|
||||
instead:
|
||||
.PP
|
||||
.RS
|
||||
sane\-port stream tcp nowait saned.saned /usr/sbin/tcpd @SBINDIR@/saned
|
||||
.RE
|
||||
.PP
|
||||
Note that both examples assume that there is a
|
||||
.B saned
|
||||
group and a
|
||||
.B saned
|
||||
user. If you follow this example, please make sure that the
|
||||
access permissions on the special device are set such that
|
||||
.B saned
|
||||
can access the scanner (the program generally needs read and
|
||||
write access to scanner devices).
|
||||
|
||||
.SH XINETD CONFIGURATION
|
||||
If
|
||||
.BR xinetd (8)
|
||||
is installed on your system instead of
|
||||
.BR inetd (8)
|
||||
the following example for
|
||||
.I /etc/xinetd.conf
|
||||
may be helpful:
|
||||
.PP
|
||||
.RS
|
||||
.ft CR
|
||||
.nf
|
||||
# default: off
|
||||
# description: The sane server accepts requests
|
||||
# for network access to a local scanner via the
|
||||
# network.
|
||||
service sane\-port
|
||||
{
|
||||
port = 6566
|
||||
socket_type = stream
|
||||
wait = no
|
||||
user = saned
|
||||
group = saned
|
||||
server = @SBINDIR@/saned
|
||||
}
|
||||
.fi
|
||||
.ft R
|
||||
.RE
|
||||
|
||||
.SH SYSTEMD CONFIGURATION
|
||||
.B saned
|
||||
can be compiled with explicit
|
||||
.BR systemd (1)
|
||||
support. This
|
||||
will allow logging debugging information to be forwarded
|
||||
to the
|
||||
.BR systemd (1)
|
||||
journal. The
|
||||
.BR systemd (1)
|
||||
support requires compilation with the systemd-devel package
|
||||
installed on the system. This is the preferred option.
|
||||
|
||||
.B saned
|
||||
can be used with
|
||||
.BR systemd (1)
|
||||
without the
|
||||
.BR systemd (1)
|
||||
integration compiled in, but then logging of debug information is not supported.
|
||||
|
||||
The
|
||||
.BR systemd (1)
|
||||
configuration is different for the 2 options, so both are described below.
|
||||
|
||||
.SH Systemd configuration for saned with systemd support compiled in
|
||||
For
|
||||
.BR systemd (1)
|
||||
configuration we need to add 2 configuration files in
|
||||
.IR /etc/systemd/system .
|
||||
.PP
|
||||
The first file we need to add here is called
|
||||
.I saned.socket.
|
||||
It shall have
|
||||
the following contents:
|
||||
.PP
|
||||
.RS
|
||||
.ft CR
|
||||
.nf
|
||||
[Unit]
|
||||
Description=saned incoming socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=6566
|
||||
Accept=yes
|
||||
MaxConnections=1
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
.fi
|
||||
.ft R
|
||||
.RE
|
||||
.PP
|
||||
The second file to be added is
|
||||
.I saned@.service
|
||||
with the following contents:
|
||||
.PP
|
||||
.RS
|
||||
.ft CR
|
||||
.nf
|
||||
[Unit]
|
||||
Description=Scanner Service
|
||||
Requires=saned.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/saned
|
||||
User=saned
|
||||
Group=saned
|
||||
StandardInput=null
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
Environment=SANE_CONFIG_DIR=@CONFIGDIR@
|
||||
# If you need to debug your configuration uncomment the next line and
|
||||
# change it as appropriate to set the desired debug options
|
||||
# Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5
|
||||
|
||||
[Install]
|
||||
Also=saned.socket
|
||||
.fi
|
||||
.ft R
|
||||
.RE
|
||||
.PP
|
||||
You need to set an environment variable for
|
||||
.B SANE_CONFIG_DIR
|
||||
pointing to the directory where
|
||||
.B saned
|
||||
can find its configuration files.
|
||||
You will have to remove the # on the last line and set the variables
|
||||
for the desired debugging information if required. Multiple variables
|
||||
can be set by separating the assignments by spaces as shown in the
|
||||
example above.
|
||||
.PP
|
||||
Unlike
|
||||
.BR xinetd (8)
|
||||
and
|
||||
.BR inetd (8),
|
||||
.BR systemd (1)
|
||||
allows debugging output from backends set using
|
||||
.B SANE_DEBUG_XXX
|
||||
to be captured. See the man-page for your backend to see what options
|
||||
are supported.
|
||||
With the service unit as described above, the debugging output is
|
||||
forwarded to the system log.
|
||||
|
||||
.SH Systemd configuration when saned is compiled without systemd support
|
||||
This configuration will also work when
|
||||
.B saned
|
||||
is compiled WITH
|
||||
.BR systemd (1)
|
||||
integration support, but it does not allow debugging information to be logged.
|
||||
.PP
|
||||
For
|
||||
.BR systemd (1)
|
||||
configuration for
|
||||
.BR saned ,
|
||||
we need to add 2 configuration files in
|
||||
.IR /etc/systemd/system .
|
||||
.PP
|
||||
The first file we need to add here is called
|
||||
.I saned.socket.
|
||||
It is identical to the version for
|
||||
.BR systemd (1)
|
||||
with the support compiled in.
|
||||
It shall have the following contents:
|
||||
.PP
|
||||
.RS
|
||||
.ft CR
|
||||
.nf
|
||||
[Unit]
|
||||
Description=saned incoming socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=6566
|
||||
Accept=yes
|
||||
MaxConnections=1
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
.fi
|
||||
.ft R
|
||||
.RE
|
||||
.PP
|
||||
The second file to be added is
|
||||
.IR saned@.service .
|
||||
This one differs from the version with
|
||||
.BR systemd (1)
|
||||
integration compiled in:
|
||||
.PP
|
||||
.RS
|
||||
.ft CR
|
||||
.nf
|
||||
[Unit]
|
||||
Description=Scanner Service
|
||||
Requires=saned.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/saned
|
||||
User=saned
|
||||
Group=saned
|
||||
StandardInput=socket
|
||||
|
||||
Environment=SANE_CONFIG_DIR=/etc/sane.d
|
||||
|
||||
[Install]
|
||||
Also=saned.socket
|
||||
.fi
|
||||
.ft R
|
||||
.RE
|
||||
.PP
|
||||
|
||||
.SH FILES
|
||||
.TP
|
||||
.I /etc/hosts.equiv
|
||||
|
@ -526,6 +227,28 @@ and
|
|||
.I "@CONFIGDIR@"
|
||||
being searched (in this order).
|
||||
|
||||
.SH NOTES
|
||||
.B saned
|
||||
does
|
||||
.I not
|
||||
provide confidentiality when communicating with clients. If
|
||||
.B saned
|
||||
is exposed directly on the network, other users may be able to intercept
|
||||
scanned images, or learn passwords for connecting to
|
||||
.BR saned ,
|
||||
with little effort. Client systems should connect to
|
||||
.B saned
|
||||
through a secure tunnel to the server instead.
|
||||
.PP
|
||||
.B saned
|
||||
is not a trusted program and should not run with root privileges.
|
||||
.PP
|
||||
Refer to
|
||||
.I @DOCDIR@/saned/saned.install.md
|
||||
for details on configuring
|
||||
.B saned
|
||||
as a service.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.BR sane (7),
|
||||
.BR scanimage (1),
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
Configuring `saned` as a service
|
||||
================================
|
||||
|
||||
To launch `saned` automatically in response to an incoming connection,
|
||||
configure it as a service managed by `inetd`, `xinetd`, or `systemd`.
|
||||
|
||||
First verify that /etc/services contains a line of the following form:
|
||||
|
||||
sane-port 6566/tcp # SANE network scanner daemon
|
||||
|
||||
If not, then add it. (The name "sane-port" has been assigned by IANA.)
|
||||
|
||||
|
||||
The examples below assume there is a "saned" group and a "saned" user.
|
||||
Make sure that the ACLs on the scanner device files are set such that
|
||||
`saned` can access them for reading and writing.
|
||||
|
||||
|
||||
`inetd` Configuration
|
||||
---------------------
|
||||
|
||||
Configure `inetd` if your platform does not use `systemd` or `xinetd`.
|
||||
Not all `inetd` implementations support IPv6; check its documentation.
|
||||
|
||||
Add a line in /etc/inetd.conf like the following:
|
||||
|
||||
sane-port stream tcp nowait saned.saned /usr/local/sbin/saned saned
|
||||
|
||||
|
||||
`xinetd` Configuration
|
||||
----------------------
|
||||
|
||||
Copy frontend/saned.xinetd.conf into the `xinetd` configuration files
|
||||
directory (as /etc/xinetd.d/saned.conf).
|
||||
|
||||
|
||||
`systemd` Configuration
|
||||
-----------------------
|
||||
|
||||
Copy frontend/saned.socket and frontend/saned@.service into one of the
|
||||
system-wide directories for unit files (/etc/systemd/system/).
|
||||
|
||||
The recommended way to adjust the service settings is with the command
|
||||
`systemctl edit saned@`. This opens a file inside a text editor where
|
||||
overrides may be entered. As an example, environment variables can be
|
||||
set which are used to control debug logging in individual backends:
|
||||
|
||||
[Service]
|
||||
Environment=SANE_DEBUG_DLL=255
|
||||
Environment=SANE_DEBUG_BJNP=5
|
||||
|
||||
(Refer to the man pages of the appropriate backends for more details.)
|
||||
|
||||
It is recommended to build SANE with explicit `systemd` support, which
|
||||
allows log messages from `saned` to be written to the journal. If SANE
|
||||
is built without this support, the following override must be used:
|
||||
|
||||
[Service]
|
||||
StandardInput=socket
|
|
@ -1,2 +1,6 @@
|
|||
saned
|
||||
saned@.service
|
||||
saned.xinetd.conf
|
||||
scanimage
|
||||
test
|
||||
tstbackend
|
||||
|
|
|
@ -44,5 +44,20 @@ tstbackend_LDADD += -lstdc++
|
|||
endif
|
||||
endif
|
||||
|
||||
clean-local:
|
||||
rm -f test tstbackend
|
||||
BUILT_SOURCES = saned@.service saned.xinetd.conf
|
||||
|
||||
EXTRA_DIST = saned.socket saned@.service.in saned.xinetd.conf.in
|
||||
|
||||
CLEANFILES = $(EXTRA_PROGRAMS) $(BUILT_SOURCES)
|
||||
|
||||
SUFFIXES = .in
|
||||
.in:
|
||||
$(AM_V_GEN)
|
||||
@if $(AM_V_P); then echo Generating $@ from $^; fi
|
||||
@sed -e 's|@DATADIR@|$(datadir)|g' \
|
||||
-e 's|@CONFIGDIR@|$(configdir)|g' \
|
||||
-e 's|@DOCDIR@|$(docdir)|g' \
|
||||
-e 's|@LIBDIR@|$(libdir)/sane|g' \
|
||||
-e 's|@BINDIR@|$(bindir)|g' \
|
||||
-e 's|@SBINDIR@|$(sbindir)|g' \
|
||||
-e 's|@PACKAGEVERSION@|$(PACKAGE_VERSION)|g' $? > $@
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=saned incoming socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=6566
|
||||
Accept=yes
|
||||
MaxConnections=1
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
|
@ -0,0 +1,13 @@
|
|||
# default: off
|
||||
# description: The sane server accepts requests
|
||||
# for network access to a local scanner via the
|
||||
# network.
|
||||
service sane-port
|
||||
{
|
||||
port = 6566
|
||||
socket_type = stream
|
||||
wait = no
|
||||
user = saned
|
||||
group = saned
|
||||
server = @SBINDIR@/saned
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Scanner Service
|
||||
Requires=saned.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=@SBINDIR@/saned
|
||||
User=saned
|
||||
Group=saned
|
||||
|
||||
[Install]
|
||||
Also=saned.socket
|
Ładowanie…
Reference in New Issue