1saned(8)                 SANE Scanner Access Now Easy                 saned(8)
2
3
4

NAME

6       saned - SANE network daemon
7

SYNOPSIS

9       saned  [ -a [ username ] ] [ -u username ] [ -b address ] [ -l ] [ -D ]
10       [ -o ] [ -d n ] [ -e ] [ -h ]
11

DESCRIPTION

13       saned is the SANE (Scanner Access Now Easy) daemon that  allows  remote
14       clients  to  access  image  acquisition  devices available on the local
15       host.
16

OPTIONS

18       The -l flag requests that saned run in standalone daemon mode.  In this
19       mode,  saned  will listen for incoming client connections; inetd is not
20       required for saned operations in this mode. The -b flag tells saned  to
21       bind  to  the address given.  The -u flag requests that saned drop root
22       privileges and run as the user (and  group)  associated  with  username
23       after  binding.  The -D flag will request saned to detach from the con‐
24       sole and run in the background.  The flag -a is equivalent to the  com‐
25       bination of -l -B -u username options.
26
27       The  -d  flag sets the level of saned debug output.  When compiled with
28       debugging enabled, this flag may be followed by  a  number  to  request
29       more  or  less debug info.  The larger the number, the more verbose the
30       debug output.  E.g., -d128 will request output of all  debug  info.   A
31       level of 0 produces no output at all.  The default value is 2.
32
33       The  -e  flag  will  divert saned debug output to stderr instead of the
34       syslog default.
35
36       The -o flag requests that saned exits after the  first  client  discon‐
37       nects.  This is useful for debugging.
38
39       The -h flag displays a short help message.
40
41       If  saned is run from other programs such as inetd, xinetd and systemd,
42       check that program's documentation on how to pass command-line options.
43

CONFIGURATION

45       First and foremost: saned is not intended to be exposed to the internet
46       or other non-trusted networks. Make sure that access is limited by tcp‐
47       wrappers and/or a firewall setup. Don't  depend  only  on  saned's  own
48       authentication.  Don't  run saned as root if it's not necessary. And do
49       not install saned as setuid root.
50
51       The saned.conf configuration file contains both options for the  daemon
52       and the access list.
53
54       data_portrange = min_port - max_port
55              Specify  the  port  range to use for the data connection. Pick a
56              port range between 1024 and 65535; don't pick a too  large  port
57              range,  as  it  may  have performance issues. Use this option if
58              your saned server is sitting behind a firewall. If that firewall
59              is  a  Linux  machine, we strongly recommend using the Netfilter
60              nf_conntrack_sane module instead.
61
62       data_connect_timeout = timeout
63              Specify the time in milliseconds that saned will wait for a data
64              connection.  Without  this option, if the data connection is not
65              done before the scanner reaches the end  of  scan,  the  scanner
66              will  continue  to scan past the end and may damage it depending
67              on the backend. Specify zero  to  have  the  old  behavior.  The
68              default is 4000ms.
69
70       The  access  list  is  a list of host names, IP addresses or IP subnets
71       (CIDR notation) that are permitted to  use  local  SANE  devices.  IPv6
72       addresses  must be enclosed in brackets, and should always be specified
73       in their compressed form. Connections from localhost are always permit‐
74       ted. Empty lines and lines starting with a hash mark (#) are ignored. A
75       line containing the single character ``+'' is interpreted to match  any
76       hostname.  This  allows  any remote machine to use your scanner and may
77       present a security risk, so this shouldn't be used unless you know what
78       you're doing.
79
80       A sample configuration file is shown below:
81
82              # Daemon options
83              data_portrange = 10000 - 10100
84              # Access list
85              scan-client.somedomain.firm
86              # this is a comment
87              192.168.0.1
88              192.168.2.12/29
89              [::1]
90              [2001:db8:185e::42:12]/64
91
92       The  case of the host names does not matter, so AHost.COM is considered
93       identical to ahost.com.
94

SERVER DAEMON CONFIGURATION

96       For saned to work properly in its default mode of operation, it is also
97       necessary to add the appropriate configuration for (x)inetd or systemd.
98       (see below).  Note that your inetd must support IPv6  if  you  want  to
99       connect  to  saned  over  IPv6  ; xinetd, openbsd-inetd and systemd are
100       known to support IPv6, check the documentation for your inetd daemon.
101
102       In the sections below the configuration for inetd, xinetd  and  systemd
103       are described in more detail.
104
105       For  the configurations below it is necessary to add a line of the fol‐
106       lowing form to /etc/services:
107
108              sane-port 6566/tcp # SANE network scanner daemon
109
110       The official IANA short name for port 6566 is  "sane-port".  The  older
111       name "sane" is now deprecated.
112

INETD CONFIGURATION

114       It  is  required  to  add a single line to the inetd configuration file
115       (/etc/inetd.conf)
116
117       The configuration line normally looks like this:
118
119              sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
120
121       However, if your system uses tcpd(8) for additional security screening,
122       you  may  want  to  disable  saned  access  control by putting ``+'' in
123       saned.conf and use a line of  the  following  form  in  /etc/inetd.conf
124       instead:
125
126              sane-port   stream   tcp   nowait   saned.saned   /usr/sbin/tcpd
127              /usr/sbin/saned
128
129       Note that both examples assume that there is a saned group and a  saned
130       user.   If  you  follow  this example, please make sure that the access
131       permissions on the special device are set such that  saned  can  access
132       the scanner (the program generally needs read and write access to scan‐
133       ner devices).
134

XINETD CONFIGURATION

136       If xinetd is installed on your system instead of  inetd  the  following
137       example for /etc/xinetd.conf may be helpful:
138
139              # default: off
140              # description: The sane server accepts requests
141              # for network access to a local scanner via the
142              # network.
143              service sane-port
144              {
145                 port        = 6566
146                 socket_type = stream
147                 wait        = no
148                 user        = saned
149                 group       = saned
150                 server      = /usr/sbin/saned
151              }
152

SYSTEMD CONFIGURATION

154       Saned  can  be  compiled with explicit systemd support. This will allow
155       logging debugging information to be forwarded to the  systemd  journal.
156       The systemd support requires compilation with the systemd-devel package
157       installed on the system. this is the preferred option.
158
159       Saned can be used wih systemd without the systemd integration  compiled
160       in, but then logging of debug information is not supported.
161
162       The  systemd configuration is different for the 2 options, but you need
163       to create unit files in both options and then run as root:
164
165              systemctl start saned.socket
166
167       to start saned. If you want to have saned.socket running after startup,
168       run as root:
169
170              systemctl enable saned.socket
171
172       The systemd configuration of both options is described below.
173

Systemd configuration for saned with systemd support compiled in

175       for  the  systemd configuration we need to add 2 configuration files in
176       /etc/systemd/system.
177
178       The first file we need to add here is called  saned.socket.   It  shall
179       have the following contents:
180
181              [Unit]
182              Description=saned incoming socket
183
184              [Socket]
185              ListenStream=6566
186              Accept=yes
187              MaxConnections=1
188
189              [Install]
190              WantedBy=sockets.target
191
192       The  second  file to be added is saned@.service with the following con‐
193       tents:
194
195              [Unit]
196              Description=Scanner Service
197              Requires=saned.socket
198
199              [Service]
200              ExecStart=/usr/sbin/saned
201              User=saned
202              Group=saned
203              StandardInput=null
204              StandardOutput=syslog
205              StandardError=syslog
206              Environment=SANE_CONFIG_DIR=/etc/sane.d
207              # If you need to debug your configuration uncomment the next line and
208              # change it as appropriate to set the desired debug options
209              # Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5
210
211              [Install]
212              Also=saned.socket
213
214       You need to set an environment variable for SANE_CONFIG_DIR pointing to
215       the  directory  where saned can find its configuration files.  you will
216       have to remove the # on the last line and set  the  variables  for  the
217       desired  debugging  information if required.  Multiple variables can be
218       set by separating the assignments by spaces as  shown  in  the  example
219       above.
220
221       Unlike  (x)inetd  ,  systemd  allows debugging output from backends set
222       using SANE_DEBUG_XXX to be captured. See the man-page for your  backend
223       to see what options are  supported.  With the service unit as described
224       above, the debugging output is forwarded to the system log.
225
226

Systemd configuration when saned is compiled without systemd support

228       This configuration will also work when Saned is compiled  WITH  systemd
229       integration  support, but it does not allow debugging information to be
230       logged.
231
232       for systemd configuration for saned, we need  to  add  2  configuration
233       files in /etc/systemd/system.
234
235       The first file we need to add here is called saned.socket.  It is iden‐
236       tical to the version for systemd with  the  support  compiled  in.   It
237       shall have the following contents:
238
239              [Unit]
240              Description=saned incoming socket
241
242              [Socket]
243              ListenStream=6566
244              Accept=yes
245              MaxConnections=1
246
247              [Install]
248              WantedBy=sockets.target
249
250       The  second  file  to be added is saned@.service This one differes from
251       the sersion with systemd integration compiled in:
252
253              [Unit]
254              Description=Scanner Service
255              Requires=saned.socket
256
257              [Service]
258              ExecStart=/usr/sbin/saned
259              User=saned
260              Group=saned
261              StandardInput=socket
262
263              Environment=SANE_CONFIG_DIR=/etc/sane.d
264
265              [Install]
266              Also=saned.socket
267

FILES

269       /etc/hosts.equiv
270              The hosts listed in this file are permitted to access all  local
271              SANE  devices.  Caveat: this file imposes serious security risks
272              and its use is not recommended.
273
274       /etc/sane.d/saned.conf
275              Contains a list of hosts permitted to access local SANE  devices
276              (see also description of SANE_CONFIG_DIR below).
277
278       /etc/sane.d/saned.users
279              If this file contains lines of the form
280
281              user:password:backend
282
283              access  to  the  listed backends is restricted. A backend may be
284              listed multiple times for different user/password  combinations.
285              The server uses MD5 hashing if supported by the client.
286

ENVIRONMENT

288       SANE_CONFIG_DIR
289              This environment variable specifies the list of directories that
290              may contain the configuration file.  Under UNIX, the directories
291              are  separated  by a colon (`:'), under OS/2, they are separated
292              by a semi-colon (`;').  If this variable is not set, the config‐
293              uration  file is searched in two default directories: first, the
294              current working directory (".") and then in /etc/sane.d.  If the
295              value  of the environment variable ends with the directory sepa‐
296              rator character, then the default directories are searched after
297              the  explicitly  specified  directories.   For  example, setting
298              SANE_CONFIG_DIR to "/tmp/config:" would  result  in  directories
299              "tmp/config",  ".",  and  "/etc/sane.d"  being searched (in this
300              order).
301
302

SEE ALSO

304       sane(7),    scanimage(1),    xscanimage(1),    xcam(1),    sane-dll(5),
305       sane-net(5), sane-"backendname"(5)
306       http://www.penguin-breeder.org/?page=sane-net
307

AUTHOR

309       David Mosberger
310
311
312
313                                  29 Sep 2017                         saned(8)
Impressum