saned(8) - f36

1saned(8)                 SANE Scanner Access Now Easy                 saned(8)
2
3
4

NAME

6       saned - SANE network daemon
7

SYNOPSIS

9       saned  [ -a [ username ] ] [ -u username ] [ -b address ] [ -p port ] [
10       -l ] [ -D ] [ -o ] [ -d n ] [ -e ] [ -h ]
11
12

DESCRIPTION

14       saned is the SANE (Scanner Access Now Easy) daemon that  allows  remote
15       clients  to  access  image  acquisition  devices available on the local
16       host.
17
18

OPTIONS

20       saned recognises the following options:
21
22
23       -a [username], --alone[=username]
24              is equivalent to the combination of -l -D -u  username  options.
25              However,  username is optional and running user will only be set
26              when specified.
27
28
29       -u username, --user=username
30              requests that saned drop root privileges and  run  as  the  user
31              (and group) associated with username after binding.
32
33
34       -b address, --bind=address
35              tells saned to bind to the address given.
36
37
38       -p port, --port=port
39              tells  saned  to  listen  on the port given.  A value of 0 tells
40              saned to pick an unused port.   The  default  is  the  sane-port
41              [1m(6566).
42
43
44       -l, --listen
45              requests  that  saned  run  in  standalone daemon mode.  In this
46              mode, saned will listen for  incoming  client  connections;  in‐
47              etd(8) is not required for saned operations in this mode.
48
49
50       -D, --daemonize
51              will  request  saned  to  detach from the console and run in the
52              background.
53
54
55       -o, --once
56              requests that saned exits after the  first  client  disconnects.
57              This is useful for debugging.
58
59
60       -d n, --debug=n
61              sets  the  level of saned debug output to n.  When compiled with
62              debugging enabled, this flag may be followed by a number to  re‐
63              quest  more or less debug info.  The larger the number, the more
64              verbose the debug output.  E.g., -d128 will  request  output  of
65              all  debug  info.   A level of 0 produces no output at all.  The
66              default value is 2.
67
68
69       -e, --stderr
70              will divert saned debug output to stderr instead of  the  syslog
71              default.
72
73
74       -h, --help
75              displays a short help message.
76
77       If  saned  is  run  from other programs such as inetd(8), xinetd(8) and
78       systemd(1), check that program's documentation on how to pass  command-
79       line options.
80
81

CONFIGURATION

83       First and foremost: saned is not intended to be exposed to the internet
84       or other non-trusted networks. Make sure that access is limited by tcp‐
85       wrappers  and/or a firewall setup. Don't depend only on saned's own au‐
86       thentication. Don't run saned as root if it's not necessary. And do not
87       install saned as setuid root.
88
89       The  saned.conf configuration file contains both options for the daemon
90       and the access list.
91
92       data_portrange = min_port - max_port
93              Specify the port range to use for the data  connection.  Pick  a
94              port  range  between 1024 and 65535; don't pick a too large port
95              range, as it may have performance issues.  Use  this  option  if
96              your saned server is sitting behind a firewall. If that firewall
97              is a Linux machine, we strongly recommend  using  the  Netfilter
98              nf_conntrack_sane module instead.
99
100       data_connect_timeout = timeout
101              Specify the time in milliseconds that saned will wait for a data
102              connection. Without this option, if the data connection  is  not
103              done  before  the  scanner  reaches the end of scan, the scanner
104              will continue to scan past the end and may damage  it  depending
105              on  the  backend. Specify zero to have the old behavior. The de‐
106              fault is 4000ms.
107
108       The access list is a list of host names, IP  addresses  or  IP  subnets
109       (CIDR  notation) that are permitted to use local SANE devices. IPv6 ad‐
110       dresses must be enclosed in brackets, and should always be specified in
111       their compressed form. Connections from localhost are always permitted.
112       Empty lines and lines starting with a hash mark (#) are ignored. A line
113       containing the single character ``+'' is interpreted to match any host‐
114       name. This allows any remote  machine  to  use  your  scanner  and  may
115       present a security risk, so this shouldn't be used unless you know what
116       you're doing.
117
118       A sample configuration file is shown below:
119
120              # Daemon options
121              data_portrange = 10000 - 10100
122              # Access list
123              scan-client.somedomain.firm
124              # this is a comment
125              192.168.0.1
126              192.168.2.12/29
127              [::1]
128              [2001:db8:185e::42:12]/64
129
130       The case of the host names does not matter, so AHost.COM is  considered
131       identical to ahost.com.
132

SERVER DAEMON CONFIGURATION

134       For saned to work properly in its default mode of operation, it is also
135       necessary to add the appropriate configuration for xinetd(8),  inetd(8)
136       or  systemd(1)  (see below).  Note that your inetd(8) must support IPv6
137       if you want to connect to saned over IPv6; xinetd(8),  openbsd-inetd(8)
138       and  systemd(1)  are known to support IPv6, check the documentation for
139       your inetd(8) daemon.
140
141       In the sections below the configuration  for  inetd(8),  xinetd(8)  and
142       systemd(1) are described in more detail.
143
144       For  the configurations below it is necessary to add a line of the fol‐
145       lowing form to /etc/services:
146
147              sane-port 6566/tcp # SANE network scanner daemon
148
149       The official IANA short name for port 6566 is  "sane-port".  The  older
150       name "sane" is now deprecated.
151
152

INETD CONFIGURATION

154       It  is required to add a single line to the inetd(8) configuration file
155       (/etc/inetd.conf)
156
157       The configuration line normally looks like this:
158
159              sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
160
161       However, if your system uses tcpd(8) for additional security screening,
162       you  may  want  to  disable  saned  access  control by putting ``+'' in
163       saned.conf and use a line of the following form in /etc/inetd.conf  in‐
164       stead:
165
166              sane-port   stream   tcp   nowait   saned.saned   /usr/sbin/tcpd
167              /usr/sbin/saned
168
169       Note that both examples assume that there is a saned group and a  saned
170       user.   If  you  follow  this example, please make sure that the access
171       permissions on the special device are set such that  saned  can  access
172       the scanner (the program generally needs read and write access to scan‐
173       ner devices).
174
175

XINETD CONFIGURATION

177       If xinetd(8) is installed on your system instead of inetd(8)  the  fol‐
178       lowing example for /etc/xinetd.conf may be helpful:
179
180              # default: off
181              # description: The sane server accepts requests
182              # for network access to a local scanner via the
183              # network.
184              service sane-port
185              {
186                 port        = 6566
187                 socket_type = stream
188                 wait        = no
189                 user        = saned
190                 group       = saned
191                 server      = /usr/sbin/saned
192              }
193
194

SYSTEMD CONFIGURATION

196       saned can be compiled with explicit systemd(1) support. This will allow
197       logging debugging information to be forwarded to the  systemd(1)  jour‐
198       nal. The systemd(1) support requires compilation with the systemd-devel
199       package installed on the system. This is the preferred option.
200
201       saned can be used with systemd(1) without  the  systemd(1)  integration
202       compiled in, but then logging of debug information is not supported.
203
204       The  systemd(1)  configuration  is different for the 2 options, so both
205       are described below.
206
207

Systemd configuration for saned with systemd support compiled in

209       For systemd(1) configuration we need to add 2  configuration  files  in
210       /etc/systemd/system.
211
212       The  first  file  we need to add here is called saned.socket.  It shall
213       have the following contents:
214
215              [Unit]
216              Description=saned incoming socket
217
218              [Socket]
219              ListenStream=6566
220              Accept=yes
221              MaxConnections=1
222
223              [Install]
224              WantedBy=sockets.target
225
226       The second file to be added is saned@.service with the  following  con‐
227       tents:
228
229              [Unit]
230              Description=Scanner Service
231              Requires=saned.socket
232
233              [Service]
234              ExecStart=/usr/sbin/saned
235              User=saned
236              Group=saned
237              StandardInput=null
238              StandardOutput=syslog
239              StandardError=syslog
240              Environment=SANE_CONFIG_DIR=/etc/sane.d
241              # If you need to debug your configuration uncomment the next line and
242              # change it as appropriate to set the desired debug options
243              # Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5
244
245              [Install]
246              Also=saned.socket
247
248       You need to set an environment variable for SANE_CONFIG_DIR pointing to
249       the directory where saned can find its configuration files.   You  will
250       have to remove the # on the last line and set the variables for the de‐
251       sired debugging information if required.  Multiple variables can be set
252       by separating the assignments by spaces as shown in the example above.
253
254       Unlike  xinetd(8) and inetd(8), systemd(1) allows debugging output from
255       backends set using SANE_DEBUG_XXX to be captured. See the man-page  for
256       your backend to see what options are  supported.  With the service unit
257       as described above, the debugging output is  forwarded  to  the  system
258       log.
259
260

Systemd configuration when saned is compiled without systemd support

262       This  configuration  will  also  work  when saned is compiled WITH sys‐
263       temd(1) integration support, but it does not allow  debugging  informa‐
264       tion to be logged.
265
266       For  systemd(1) configuration for saned, we need to add 2 configuration
267       files in /etc/systemd/system.
268
269       The first file we need to add here is called saned.socket.  It is iden‐
270       tical  to  the version for systemd(1) with the support compiled in.  It
271       shall have the following contents:
272
273              [Unit]
274              Description=saned incoming socket
275
276              [Socket]
277              ListenStream=6566
278              Accept=yes
279              MaxConnections=1
280
281              [Install]
282              WantedBy=sockets.target
283
284       The second file to be added is saned@.service.  This one  differs  from
285       the version with systemd(1) integration compiled in:
286
287              [Unit]
288              Description=Scanner Service
289              Requires=saned.socket
290
291              [Service]
292              ExecStart=/usr/sbin/saned
293              User=saned
294              Group=saned
295              StandardInput=socket
296
297              Environment=SANE_CONFIG_DIR=/etc/sane.d
298
299              [Install]
300              Also=saned.socket
301

FILES

303       /etc/hosts.equiv
304              The  hosts listed in this file are permitted to access all local
305              SANE devices.  Caveat: this file imposes serious security  risks
306              and its use is not recommended.
307
308       /etc/sane.d/saned.conf
309              Contains  a list of hosts permitted to access local SANE devices
310              (see also description of SANE_CONFIG_DIR below).
311
312       /etc/sane.d/saned.users
313              If this file contains lines of the form
314
315              user:password:backend
316
317              access to the listed backends is restricted. A  backend  may  be
318              listed  multiple times for different user/password combinations.
319              The server uses MD5 hashing if supported by the client.
320

ENVIRONMENT

322       SANE_CONFIG_DIR
323              This environment variable specifies the list of directories that
324              may contain the configuration file.  On *NIX systems, the direc‐
325              tories are separated by a colon (`:'), under OS/2, they are sep‐
326              arated  by a semi-colon (`;').  If this variable is not set, the
327              configuration file  is  searched  in  two  default  directories:
328              first,   the   current  working  directory  (".")  and  then  in
329              /etc/sane.d.  If the value of the environment variable ends with
330              the  directory separator character, then the default directories
331              are searched after the explicitly  specified  directories.   For
332              example,  setting SANE_CONFIG_DIR to "/tmp/config:" would result
333              in directories tmp/config, ., and /etc/sane.d being searched (in
334              this order).
335
336

AUTHOR

343       David Mosberger
344
345
346
347                                  29 Sep 2017                         saned(8)