Add a data_portrange configuration file option to saned.

2008-12-12 15:51:15 +00:00 · 2008-12-12 15:51:15 +00:00 · b9807541c7
commit b9807541c7
--- a/9
+++ b/9
@ -1,7 +1,14 @@
 2008-12-12  Julien Blache <jb@jblache.org>
 	* frontend/saned.c: add a data_portrange config file option to
 	saned to specify a port range for the data connection. Based on a
 	patch contributed by Oren Held.
 	* backend/saned.conf.in: add the data_portrange option to the
 	config file and rework the comments.
 	* doc/saned.man: document the data_portrange option.
 2008-12-11  Stéphane Voltz <stef.dev@free.fr>
 	* backend/rts8891.c doc/sane-rts8891.man doc/descriptions/rts8891.desc:
 	  scan register setting fix, documentation update
 2008-12-10  m. allan noah <kitno455 a t gmail d o t com>
 	* backend/fujitsu.[ch]: backend v85
--- a/backend/saned.conf.in
+++ b/backend/saned.conf.in
@ -1,21 +1,31 @@
 #
 # saned.conf
 # Configuration for the saned daemon
 ## Daemon options
 # Port range for the data connection. Choose a range inside [1024 - 65535].
 # Avoid specifying too large a range, for performance reasons.
 #
-# The contents of the saned.conf  file  is  a  list  of  host  names,  IP
+# ONLY use this if your saned server is sitting behind a firewall. If your
-# addresses or IP subnets (CIDR notation) that are permitted to use local
+# firewall is a Linux machine, we strongly recommend using the
-# SANE devices. IPv6 addresses must be enclosed in brackets,  and  should
+# Netfilter nf_conntrack_sane connection tracking module instead.
-# always  be specified in their compressed form.
+#
 # data_portrange = 10000 - 10100
 ## Access list
 # A list of host names, IP addresses or IP subnets (CIDR notation) that
 # are permitted to use local SANE devices. IPv6 addresses must be enclosed
 # in brackets, and should always be specified in their compressed form.
 #
 # The hostname matching is not case-sensitive.
-#
+
 #scan-client.somedomain.firm
 #192.168.0.1
 #192.168.0.1/29
 #[2001:7a8:185e::42:12]
 #[2001:7a8:185e::42:12]/64
-#
+
 # NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and
 # /etc/services must also be properly configured to start
 # the saned daemon as documented in saned(8), services(4)
 # and inetd.conf(4) (or xinetd.conf(5)).
--- a/doc/saned.man
+++ b/doc/saned.man
@ -1,4 +1,4 @@
-.TH saned 8 "14 Jul 2008" "@PACKAGEVERSION@" "SANE Scanner Access Now Easy"
+.TH saned 8 "12 Dec 2008" "@PACKAGEVERSION@" "SANE Scanner Access Now Easy"
 .IX saned
 .SH NAME
 saned \- SANE network daemon
@ -76,19 +76,38 @@ install
 .B saned
 as setuid root.
 .PP
-The contents of the
+The 
 .I saned.conf
-file is a list of host names, IP addresses or IP subnets (CIDR notation) that
+configuration file contains both options for the daemon and the access
-are permitted to use local SANE devices. IPv6 addresses must be enclosed in
+list.
-brackets, and should always be specified in their compressed form.
+.TP
-Connections from localhost are always permitted.
+\fBdata_portrange\fP = \fImin_port\fP - \fImax_port\fP
-Empty lines and lines starting with a hash mark (#) are ignored.  A line
+Specify the port range to use for the data connection. Pick a port
-containing the single character ``+'' is interpreted to match any hostname.
+range between 1024 and 65535; don't pick a too large port range, as it
-This allows any remote machine to use your scanner and may present a security
+may have performance issues. Use this option if your \fBsaned\fP
-risk, so this shouldn't be used unless you know what you're doing.  A sample
+server is sitting behind a firewall. If that firewall is a Linux
-configuration file is shown below:
+machine, we strongly recommend using the Netfilter
 \fInf_conntrack_sane\fP module instead.
 .PP
 The access list is a list of host names, IP addresses or IP subnets
 (CIDR notation) that are permitted to use local SANE devices. IPv6
 addresses must be enclosed in brackets, and should always be specified
 in their compressed form. Connections from localhost are always
 permitted. Empty lines and lines starting with a hash mark (#) are
 ignored. A line containing the single character ``+'' is interpreted
 to match any hostname. This allows any remote machine to use your
 scanner and may present a security risk, so this shouldn't be used
 unless you know what you're doing.
 .PP
 A sample configuration file is shown below:
 .PP
 .RS
 # Daemon options
 .br
 data_portrange = 10000 - 10100
 .br
 # Access list
 .br
 scan\-client.somedomain.firm
 .br
 # this is a comment
--- a/frontend/saned.c
+++ b/frontend/saned.c
@ -252,6 +252,10 @@ byte_order;
 static const char *default_username = "saned-user";
 static char *remote_ip;
 /* data port range */
 static in_port_t data_port_lo;
 static in_port_t data_port_hi;
 #ifdef SANED_USES_AF_INDEP
 static struct sockaddr_storage remote_address;
 static int remote_address_len;
@ -925,10 +929,13 @@ check_host (int fd)
 	{
 	  config_line = config_line_buf; /* from now on, use a pointer */
 	  DBG (DBG_DBG, "check_host: config file line: `%s'\n", config_line);
-	  if (config_line[0] == '#')	/* ignore line comments */
+	  if (config_line[0] == '#')
-	    continue;
+	    continue;           /* ignore comments */
 	  if (strchr (config_line, '='))
 	    continue;           /* ignore lines with an = sign */
 	  len = strlen (config_line);
 	  if (!len)
 	    continue;		/* ignore empty lines */
@ -1214,13 +1221,16 @@ check_host (int fd)
 	{
 	  config_line = config_line_buf; /* from now on, use a pointer */
 	  DBG (DBG_DBG, "check_host: config file line: `%s'\n", config_line);
-	  if (config_line[0] == '#')	/* ignore line comments */
+	  if (config_line[0] == '#')
-	    continue;
+	    continue;           /* ignore comments */
 	  if (strchr (config_line, '='))
 	    continue;           /* ignore lines with an = sign */
 	  len = strlen (config_line);
 	  if (!len)
 	    continue;		/* ignore empty lines */
-	  
+
 	  /* look for a subnet specification */
 	  netmask = strchr (config_line, '/');
 	  if (netmask != NULL)
@ -1385,6 +1395,8 @@ start_scan (Wire * w, int h, SANE_Start_Reply * reply)
 #endif /* ENABLE_IPV6 */
  SANE_Handle be_handle;
  int fd, len;
  in_port_t data_port;
  int ret;
  be_handle = handle[h].handle;
@ -1410,19 +1422,41 @@ start_scan (Wire * w, int h, SANE_Start_Reply * reply)
    {
      case AF_INET:
 	sin = (struct sockaddr_in *) &ss;
 	sin->sin_port = 0;
 	break;
 #ifdef ENABLE_IPV6
      case AF_INET6:
 	sin6 = (struct sockaddr_in6 *) &ss;
 	sin6->sin6_port = 0;
 	break;
 #endif /* ENABLE_IPV6 */
      default:
 	break;
    }
-  if (bind (fd, (struct sockaddr *) &ss, len) < 0)
+  /* Try to bind a port between data_port_lo and data_port_hi for the data connection */
  for (data_port = data_port_lo; data_port <= data_port_hi; data_port++)
    {
      switch (SS_FAMILY(ss))
        {
          case AF_INET:
            sin->sin_port = htons(data_port);
            break;
 #ifdef ENABLE_IPV6
          case AF_INET6:
            sin6->sin6_port = htons(data_port);
            break;
 #endif /* ENABLE_IPV6 */
          default:
            break;
       }
      DBG (DBG_INFO, "start_scan: trying to bind data port %d\n", data_port);
      ret = bind (fd, (struct sockaddr *) &ss, len);
      if (ret == 0)
        break;
    }
  if (ret < 0)
    {
      DBG (DBG_ERR, "start_scan: failed to bind address (%s)\n",
 	   strerror (errno));
@ -1482,6 +1516,8 @@ start_scan (Wire * w, int h, SANE_Start_Reply * reply)
  struct sockaddr_in sin;
  SANE_Handle be_handle;
  int fd, len;
  in_port_t data_port;
  int ret;
  be_handle = handle[h].handle;
@ -1503,8 +1539,19 @@ start_scan (Wire * w, int h, SANE_Start_Reply * reply)
      return -1;
    }
-  sin.sin_port = 0;
+  /* Try to bind a port between data_port_lo and data_port_hi for the data connection */
-  if (bind (fd, (struct sockaddr *) &sin, len) < 0)
+  for (data_port = data_port_lo; data_port <= data_port_hi; data_port++)
    {
      sin.sin_port = htons(data_port);
      DBG(DBG_INFO, "start_scan: trying to bind data port %d\n", data_port);
      ret = bind (fd, (struct sockaddr *) &sin, len);
      if (ret == 0)
        break;
    }
  if (ret < 0)
    {
      DBG (DBG_ERR, "start_scan: failed to bind address (%s)\n",
 	   strerror (errno));
@ -2510,6 +2557,100 @@ saned_avahi_callback (AvahiClient *c, AvahiClientState state, void *userdata)
 #endif /* WITH_AVAHI */
 static void
 read_config (void)
 {
  char config_line[PATH_MAX];
  const char *optval;
  char *endval;
  long val;
  FILE *fp;
  int len;
  DBG (DBG_INFO, "read_config: searching for config file\n");
  fp = sanei_config_open (SANED_CONFIG_FILE);
  if (fp)
    {
      while (sanei_config_read (config_line, sizeof (config_line), fp))
        {
          if (config_line[0] == '#')
            continue;           /* ignore line comments */
 	  optval = strchr (config_line, '=');
 	  if (optval == NULL)
 	    continue;           /* only interested in options, skip hosts */
          len = strlen (config_line);
          if (!len)
            continue;           /* ignore empty lines */
          /*
           * Check for saned options.
           * Anything that isn't an option is a client.
           */
          if (strstr(config_line, "data_portrange") != NULL)
            {
              optval = sanei_config_skip_whitespace (++optval);
              if ((optval != NULL) && (*optval != '\0'))
                {
 		  val = strtol (optval, &endval, 10);
 		  if (optval == endval)
 		    {
 		      DBG (DBG_ERR, "read_config: invalid value for data_portrange\n");
 		      continue;
 		    }
 		  else if ((val < 0) || (val > 65535))
 		    {
 		      DBG (DBG_ERR, "read_config: data_portrange start port is invalid\n");
 		      continue;
 		    }
 		  optval = strchr (endval, '-');
 		  if (optval == NULL)
 		    {
 		      DBG (DBG_ERR, "read_config: no end port value for data_portrange\n");
 		      continue;
 		    }
 		  optval = sanei_config_skip_whitespace (++optval);
 		  data_port_lo = val;
 		  val = strtol (optval, &endval, 10);
 		  if (optval == endval)
 		    {
 		      DBG (DBG_ERR, "read_config: invalid value for data_portrange\n");
 		      data_port_lo = 0;
 		      continue;
 		    }
 		  else if ((val < 0) || (val > 65535))
 		    {
 		      DBG (DBG_ERR, "read_config: data_portrange end port is invalid\n");
 		      data_port_lo = 0;
 		      continue;
 		    }
 		  else if (val < data_port_lo)
 		    {
 		      DBG (DBG_ERR, "read_config: data_portrange end port is less than start port\n");
 		      data_port_lo = 0;
 		      continue;
 		    }
 		  data_port_hi = val;
                  DBG (DBG_INFO, "read_config: data port range: %d - %d\n", data_port_lo, data_port_hi);
                }
            }
        }
      fclose (fp);
      DBG (DBG_INFO, "read_config: done reading config\n");
    }
  else
    DBG (DBG_ERR, "read_config: could not open config file (%s): %s\n",
 	 SANED_CONFIG_FILE, strerror (errno));
 }
 #ifdef SANED_USES_AF_INDEP
 static void
 do_bindings (int *nfds, struct pollfd **fds)
@ -2998,6 +3139,8 @@ main (int argc, char *argv[])
  if (log_to_syslog)
    openlog ("saned", LOG_PID | LOG_CONS, LOG_DAEMON);
  read_config ();
  byte_order.w = 0;
  byte_order.ch = 1;