sane-project-website/man/saned.8.html

<HTML>
<HEAD>
<TITLE>saned.8</TITLE>
</HEAD>
<BODY BGCOLOR=#FFFFFF TEXT=#000000><H1 ALIGN=CENTER><IMG SRC="/images/sane.png" HEIGHT=117 WIDTH=346></H1>
<H1>saned.8</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B><A HREF="saned.8.html">saned(8)</A></B>                 SANE Scanner Access Now Easy                 <B><A HREF="saned.8.html">saned(8)</A></B>


</PRE>
<H2>NAME</H2><PRE>
       saned - SANE network daemon


</PRE>
<H2>SYNOPSIS</H2><PRE>
       <B>saned</B> <B>[</B> <B>-a</B> <I>[</I> <I>username</I> <I>]</I> <B>|</B> <B>-d</B> <I>[</I> <I>n</I> <I>]</I> <B>|</B> <B>-s</B> <I>[</I> <I>n</I> <I>]</I> <B>]</B>


</PRE>
<H2>DESCRIPTION</H2><PRE>
       <B>saned</B>  is  the SANE (Scanner Access Now Easy) daemon that allows remote
       clients to access image acquisition  devices  available  on  the  local
       host.


</PRE>
<H2>OPTIONS</H2><PRE>
       The  <B>-a</B> flag requests that <B>saned</B> run in standalone daemon mode. In this
       mode, <B>saned</B> will detach from the console and  run  in  the  background,
       listening  for  incoming  client connections; <B>inetd</B> is not required for
       <B>saned</B> operations in this mode. If the optional <B>username</B> is given  after
       <B>-a</B>  , <B>saned</B> will drop root privileges and run as this user (and group).

       The <B>-d</B> and <B>-s</B> flags request that <B>saned</B> run in debug mode (as opposed to
       <B><A HREF="inetd.8.html">inetd(8)</A></B>  mode).  In this mode, <B>saned</B> explicitly waits for a connection
       request.  When compiled with debugging enabled, these flags may be fol-
       lowed  by  a  number  to request debug info. The larger the number, the
       more verbose the debug output.  E.g., <B>-d128</B> will  request  printing  of
       all debug info. Debug level 0 means no debug output at all. The default
       value is 2. If flag <B>-d</B> is used, the debug messages will be  printed  to
       stderr while <B>-s</B> requests using syslog.

       If <B>saned</B> is run from inetd or xinetd, no option can be given.


</PRE>
<H2>CONFIGURATION</H2><PRE>
       First and foremost: <B>saned</B> is not intended to be exposed to the internet
       or other non-trusted networks. Make sure that access is limited by tcp-
       wrappers  and/or  a  firewall  setup.  Don't depend only on <B>saned</B>'s own
       authentication. Don't run <B>saned</B> as root if it's not necessary.  And  do
       <B>not</B> install <B>saned</B> as setuid root.

       The  <I>saned.conf</I> configuration file contains both options for the daemon
       and the access list.

       <B>data_portrange</B> = <I>min</I><B>_</B><I>port</I> - <I>max</I><B>_</B><I>port</I>
              Specify the port range to use for the data  connection.  Pick  a
              port  range  between 1024 and 65535; don't pick a too large port
              range, as it may have performance issues.  Use  this  option  if
              your <B>saned</B> server is sitting behind a firewall. If that firewall
              is a Linux machine, we strongly recommend  using  the  Netfilter
              <I>nf</I><B>_</B><I>conntrack</I><B>_</B><I>sane</I> module instead.

       The  access  list  is  a list of host names, IP addresses or IP subnets
       (CIDR notation) that are permitted to  use  local  SANE  devices.  IPv6
       addresses  must be enclosed in brackets, and should always be specified
       in their compressed form. Connections from localhost are always permit-
       ted. Empty lines and lines starting with a hash mark (#) are ignored. A
       line containing the single character ''+'' is interpreted to match  any
       hostname.  This  allows  any remote machine to use your scanner and may
       present a security risk, so this shouldn't be used unless you know what
       you're doing.

       A sample configuration file is shown below:

              # Daemon options
              data_portrange = 10000 - 10100
              # Access list
              scan-client.somedomain.firm
              # this is a comment
              192.168.0.1
              192.168.2.12/29
              [::1]
              [2001:7a8:185e::42:12]/64

       The  case of the host names does not matter, so AHost.COM is considered
       identical to ahost.com.


</PRE>
<H2>INETD CONFIGURATION</H2><PRE>
       For <B>saned</B> to work properly in its default mode of operation, it is also
       necessary  to  add  a configuration line to <I>/etc/inetd.conf</I>.  Note that
       your inetd must support IPv6 if you want to connect to saned over  IPv6
       ;  xinetd  and openbsd-inetd are known to support IPv6, check the docu-
       mentation for your inetd daemon.

       The configuration line normally looks like this:

              sane-port stream tcp nowait saned.saned /usr/sbin/saned saned

       However, if your system uses <B><A HREF="tcpd.8.html">tcpd(8)</A></B> for additional security screening,
       you  may  want  to  disable  saned  access  control by putting ''+'' in
       <I>saned.conf</I> and use a line of  the  following  form  in  <I>/etc/inetd.conf</I>
       instead:

              sane-port   stream   tcp   nowait   saned.saned   /usr/sbin/tcpd
              /usr/sbin/saned

       Note that both examples assume that there is a <B>saned</B> group and a  <B>saned</B>
       user.   If  you  follow  this example, please make sure that the access
       permissions on the special device are set such that  <B>saned</B>  can  access
       the scanner (the program generally needs read and write access to scan-
       ner devices).

       If xinetd is installed on your system instead of  inetd  the  following
       example for xinetd.conf may be helpful:

              # default: off
              # description: The sane server accepts requests
              # for network access to a local scanner via the
              # network.
              service sane-port
              {
                 port        = 6566
                 socket_type = stream
                 wait        = no
                 user        = saned
                 group       = saned
                 server      = /usr/sbin/saned
              }

       Finally,  it  is  also necessary to add a line of the following form to
       <I>/etc/services</I>:

              sane-port 6566/tcp # SANE network scanner daemon

       The official IANA short name for port 6566 is  "sane-port".  The  older
       name "sane" is now deprecated.


</PRE>
<H2>FILES</H2><PRE>
       <I>/etc/hosts.equiv</I>
              The  hosts listed in this file are permitted to access all local
              SANE devices.  Caveat: this file imposes serious security  risks
              and its use is not recommended.

       <I>/etc/sane.d/saned.conf</I>
              Contains  a list of hosts permitted to access local SANE devices
              (see also description of <B>SANE_CONFIG_DIR</B> below).

       <I>/etc/sane.d/saned.users</I>
              If this file contains lines of the form

              user:password:backend

              access to the listed backends is restricted. A  backend  may  be
              listed  multiple times for different user/password combinations.
              The server uses MD5 hashing if supported by the client.


</PRE>
<H2>ENVIRONMENT</H2><PRE>
       <B>SANE_CONFIG_DIR</B>
              This environment variable specifies the list of directories that
              may contain the configuration file.  Under UNIX, the directories
              are separated by a colon (':'), under OS/2, they  are  separated
              by a semi-colon (';').  If this variable is not set, the config-
              uration file is searched in two default directories: first,  the
              current working directory (".") and then in /etc/sane.d.  If the
              value of the environment variable ends with the directory  sepa-
              rator character, then the default directories are searched after
              the explicitly  specified  directories.   For  example,  setting
              <B>SANE_CONFIG_DIR</B>  to  "/tmp/config:"  would result in directories
              "tmp/config", ".", and "/etc/sane.d"  being  searched  (in  this
              order).


</PRE>
<H2>SEE ALSO</H2><PRE>
       <B><A HREF="sane.7.html">sane(7)</A></B>,    <B><A HREF="scanimage.1.html">scanimage(1)</A></B>,    <B><A HREF="xscanimage.1.html">xscanimage(1)</A></B>,    <B><A HREF="xcam.1.html">xcam(1)</A></B>,    <B><A HREF="sane-dll.5.html">sane-dll(5)</A></B>,
       <B><A HREF="sane-net.5.html">sane-net(5)</A></B>, <B>sane-"backendname"</B>(5)
       <I>http://www.penguin-breeder.org/?page=sane-net</I>


</PRE>
<H2>AUTHOR</H2><PRE>
       David Mosberger

                                  20 Apr 2009                         <B><A HREF="saned.8.html">saned(8)</A></B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>