saned(8) - f34

1saned(8)                 SANE Scanner Access Now Easy                 saned(8)
2
3
4

NAME

6       saned - SANE network daemon
7

SYNOPSIS

9       saned  [ -a [ username ] ] [ -u username ] [ -b address ] [ -p port ] [
10       -l ] [ -D ] [ -o ] [ -d n ] [ -e ] [ -h ]
11

DESCRIPTION

13       saned is the SANE (Scanner Access Now Easy) daemon that  allows  remote
14       clients  to  access  image  acquisition  devices available on the local
15       host.
16

OPTIONS

18       The -l flag requests that saned run in standalone daemon mode.  In this
19       mode,  saned  will  listen for incoming client connections; inetd(8) is
20       not required for saned operations in this mode. The -b flag tells saned
21       to  bind  to  the address given.  The -p flags tells saned to listen on
22       the port given.  A value of 0 tells saned to pick an unused port.   The
23       default  is the sane-port (6566).  The -u flag requests that saned drop
24       root privileges and run as the user (and group) associated  with  user‐
25       name  after binding.  The -D flag will request saned to detach from the
26       console and run in the background.  The flag -a is  equivalent  to  the
27       combination of -l -B -u username options.
28
29       The  -d  flag sets the level of saned debug output.  When compiled with
30       debugging enabled, this flag may be followed by  a  number  to  request
31       more  or  less debug info.  The larger the number, the more verbose the
32       debug output.  E.g., -d128 will request output of all  debug  info.   A
33       level of 0 produces no output at all.  The default value is 2.
34
35       The  -e  flag  will  divert saned debug output to stderr instead of the
36       syslog default.
37
38       The -o flag requests that saned exits after the  first  client  discon‐
39       nects.  This is useful for debugging.
40
41       The -h flag displays a short help message.
42
43       If  saned  is  run  from other programs such as inetd(8), xinetd(8) and
44       systemd(1), check that program's documentation on how to pass  command-
45       line options.
46

CONFIGURATION

48       First and foremost: saned is not intended to be exposed to the internet
49       or other non-trusted networks. Make sure that access is limited by tcp‐
50       wrappers  and/or  a  firewall  setup.  Don't depend only on saned's own
51       authentication. Don't run saned as root if it's not necessary.  And  do
52       not install saned as setuid root.
53
54       The  saned.conf configuration file contains both options for the daemon
55       and the access list.
56
57       data_portrange = min_port - max_port
58              Specify the port range to use for the data  connection.  Pick  a
59              port  range  between 1024 and 65535; don't pick a too large port
60              range, as it may have performance issues.  Use  this  option  if
61              your saned server is sitting behind a firewall. If that firewall
62              is a Linux machine, we strongly recommend  using  the  Netfilter
63              nf_conntrack_sane module instead.
64
65       data_connect_timeout = timeout
66              Specify the time in milliseconds that saned will wait for a data
67              connection. Without this option, if the data connection  is  not
68              done  before  the  scanner  reaches the end of scan, the scanner
69              will continue to scan past the end and may damage  it  depending
70              on  the  backend.  Specify  zero  to  have the old behavior. The
71              default is 4000ms.
72
73       The access list is a list of host names, IP  addresses  or  IP  subnets
74       (CIDR  notation)  that  are  permitted  to use local SANE devices. IPv6
75       addresses must be enclosed in brackets, and should always be  specified
76       in their compressed form. Connections from localhost are always permit‐
77       ted. Empty lines and lines starting with a hash mark (#) are ignored. A
78       line  containing the single character ``+'' is interpreted to match any
79       hostname. This allows any remote machine to use your  scanner  and  may
80       present a security risk, so this shouldn't be used unless you know what
81       you're doing.
82
83       A sample configuration file is shown below:
84
85              # Daemon options
86              data_portrange = 10000 - 10100
87              # Access list
88              scan-client.somedomain.firm
89              # this is a comment
90              192.168.0.1
91              192.168.2.12/29
92              [::1]
93              [2001:db8:185e::42:12]/64
94
95       The case of the host names does not matter, so AHost.COM is  considered
96       identical to ahost.com.
97

SERVER DAEMON CONFIGURATION

99       For saned to work properly in its default mode of operation, it is also
100       necessary to add the appropriate configuration for xinetd(8),  inetd(8)
101       or  systemd(1)  (see below).  Note that your inetd(8) must support IPv6
102       if you want to connect to saned over IPv6; xinetd(8),  openbsd-inetd(8)
103       and  systemd(1)  are known to support IPv6, check the documentation for
104       your inetd(8) daemon.
105
106       In the sections below the configuration  for  inetd(8),  xinetd(8)  and
107       systemd(1) are described in more detail.
108
109       For  the configurations below it is necessary to add a line of the fol‐
110       lowing form to /etc/services:
111
112              sane-port 6566/tcp # SANE network scanner daemon
113
114       The official IANA short name for port 6566 is  "sane-port".  The  older
115       name "sane" is now deprecated.
116
117

INETD CONFIGURATION

119       It  is required to add a single line to the inetd(8) configuration file
120       (/etc/inetd.conf)
121
122       The configuration line normally looks like this:
123
124              sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
125
126       However, if your system uses tcpd(8) for additional security screening,
127       you  may  want  to  disable  saned  access  control by putting ``+'' in
128       saned.conf and use a line of  the  following  form  in  /etc/inetd.conf
129       instead:
130
131              sane-port   stream   tcp   nowait   saned.saned   /usr/sbin/tcpd
132              /usr/sbin/saned
133
134       Note that both examples assume that there is a saned group and a  saned
135       user.   If  you  follow  this example, please make sure that the access
136       permissions on the special device are set such that  saned  can  access
137       the scanner (the program generally needs read and write access to scan‐
138       ner devices).
139
140

XINETD CONFIGURATION

142       If xinetd(8) is installed on your system instead of inetd(8)  the  fol‐
143       lowing example for /etc/xinetd.conf may be helpful:
144
145              # default: off
146              # description: The sane server accepts requests
147              # for network access to a local scanner via the
148              # network.
149              service sane-port
150              {
151                 port        = 6566
152                 socket_type = stream
153                 wait        = no
154                 user        = saned
155                 group       = saned
156                 server      = /usr/sbin/saned
157              }
158
159

SYSTEMD CONFIGURATION

161       saned  can  be compiled with explicit systemd(1)support.This will allow
162       logging debugging information to be forwarded to the  systemd(1)  jour‐
163       nal. The systemd(1) support requires compilation with the systemd-devel
164       package installed on the system. this is the preferred option.
165
166       saned can be used with systemd(1) without  the  systemd(1)  integration
167       compiled in, but then logging of debug information is not supported.
168
169       The  systemd(1)  configuration  is different for the 2 options, so both
170       are described below.
171
172

Systemd configuration for saned with systemd support compiled in

174       For systemd(1) configuration we need to add 2  configuration  files  in
175       /etc/systemd/system.
176
177       The  first  file  we need to add here is called saned.socket.  It shall
178       have the following contents:
179
180              [Unit]
181              Description=saned incoming socket
182
183              [Socket]
184              ListenStream=6566
185              Accept=yes
186              MaxConnections=1
187
188              [Install]
189              WantedBy=sockets.target
190
191       The second file to be added is saned@.service with the  following  con‐
192       tents:
193
194              [Unit]
195              Description=Scanner Service
196              Requires=saned.socket
197
198              [Service]
199              ExecStart=/usr/sbin/saned
200              User=saned
201              Group=saned
202              StandardInput=null
203              StandardOutput=syslog
204              StandardError=syslog
205              Environment=SANE_CONFIG_DIR=/etc/sane.d
206              # If you need to debug your configuration uncomment the next line and
207              # change it as appropriate to set the desired debug options
208              # Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5
209
210              [Install]
211              Also=saned.socket
212
213       You need to set an environment variable for SANE_CONFIG_DIR pointing to
214       the directory where saned can find its configuration files.   you  will
215       have  to  remove  the  # on the last line and set the variables for the
216       desired debugging information if required.  Multiple variables  can  be
217       set  by  separating  the  assignments by spaces as shown in the example
218       above.
219
220       Unlike xinetd(8) and inetd(8), systemd(1) allows debugging output  from
221       backends  set using SANE_DEBUG_XXX to be captured. See the man-page for
222       your backend to see what options are  supported.  With the service unit
223       as  described  above,  the  debugging output is forwarded to the system
224       log.
225
226

Systemd configuration when saned is compiled without systemd support

228       This configuration will also work when  saned  is  compiled  WITH  sys‐
229       temd(1)integrationsupport,butitdoesnotallowdebugging  information to be
230       logged.
231
232       For systemd(1) configuration for saned, we need to add 2  configuration
233       files in /etc/systemd/system.
234
235       The first file we need to add here is called saned.socket.  It is iden‐
236       tical to the version for systemd(1) with the support compiled  in.   It
237       shall have the following contents:
238
239              [Unit]
240              Description=saned incoming socket
241
242              [Socket]
243              ListenStream=6566
244              Accept=yes
245              MaxConnections=1
246
247              [Install]
248              WantedBy=sockets.target
249
250       The second file to be added is saned@.service This one differs from the
251       version with systemd(1) integration compiled in:
252
253              [Unit]
254              Description=Scanner Service
255              Requires=saned.socket
256
257              [Service]
258              ExecStart=/usr/sbin/saned
259              User=saned
260              Group=saned
261              StandardInput=socket
262
263              Environment=SANE_CONFIG_DIR=/etc/sane.d
264
265              [Install]
266              Also=saned.socket
267

FILES

269       /etc/hosts.equiv
270              The hosts listed in this file are permitted to access all  local
271              SANE  devices.  Caveat: this file imposes serious security risks
272              and its use is not recommended.
273
274       /etc/sane.d/saned.conf
275              Contains a list of hosts permitted to access local SANE  devices
276              (see also description of SANE_CONFIG_DIR below).
277
278       /etc/sane.d/saned.users
279              If this file contains lines of the form
280
281              user:password:backend
282
283              access  to  the  listed backends is restricted. A backend may be
284              listed multiple times for different user/password  combinations.
285              The server uses MD5 hashing if supported by the client.
286

ENVIRONMENT

288       SANE_CONFIG_DIR
289              This environment variable specifies the list of directories that
290              may contain the configuration file.  Under UNIX, the directories
291              are  separated  by a colon (`:'), under OS/2, they are separated
292              by a semi-colon (`;').  If this variable is not set, the config‐
293              uration  file is searched in two default directories: first, the
294              current working directory (".") and then in /etc/sane.d.  If the
295              value  of the environment variable ends with the directory sepa‐
296              rator character, then the default directories are searched after
297              the  explicitly  specified  directories.   For  example, setting
298              SANE_CONFIG_DIR to "/tmp/config:" would  result  in  directories
299              tmp/config, ., and /etc/sane.d being searched (in this order).
300
301

AUTHOR

308       David Mosberger
309
310
311
312                                  29 Sep 2017                         saned(8)