saned(8)

1saned(8)                 SANE Scanner Access Now Easy                 saned(8)
2
3
4

NAME

6       saned - SANE network daemon
7

SYNOPSIS

9       saned [-d|-s [n]]
10

DESCRIPTION

12       saned  is  the SANE (Scanner Access Now Easy) daemon that allows remote
13       clients to access image acquisition  devices  available  on  the  local
14       host.
15

OPTIONS

17       The -d and -s flags request that saned run in debug mode (as opposed to
18       inetd(8) mode).  In this mode, saned explicitly waits for a  connection
19       request.  When compiled with debugging enabled, these flags may be fol‐
20       lowed by a number to request debug info. The  larger  the  number,  the
21       more  verbose  the  debug output.  E.g., -d128 will request printing of
22       all debug info. Debug level 0 means no debug output at all. The default
23       value  is  2. If flag -d is used, the debug messages will be printed to
24       stderr while -s requests using syslog.
25
26       If saned is run from inetd or xinetd, no option can be given.
27

CONFIGURATION

29       First and foremost: saned is not intended to be exposed to the internet
30       or other non-trusted networks. Make sure that access is limited by tcp‐
31       wrappers and/or a firewall setup. Don't  depend  only  on  saned's  own
32       authentification. Don't run saned as root if it's not necessary. And do
33       not install saned as setuid root.
34
35       The contents of the saned.conf  file  is  a  list  of  host  names,  IP
36       addresses or IP subnets (CIDR notation) that are permitted to use local
37       SANE devices. IPv6 addresses must be enclosed in brackets,  and  should
38       always  be specified in their compressed form.  Connections from local‐
39       host are always permitted.  Empty lines and lines starting with a  hash
40       mark  (#) are ignored.  A line containing the single character ``+'' is
41       interpreted to match any hostname.  This allows any remote  machine  to
42       use  your scanner and may present a security risk, so this shouldn't be
43       used unless you know what you're doing.  A sample configuration file is
44       shown below:
45
46              scan-client.somedomain.firm
47              # this is a comment
48              192.168.0.1
49              192.168.2.12/29
50              [::1]
51              [2001:7a8:185e::42:12]/64
52
53       The  case of the host names does not matter, so AHost.COM is considered
54       identical to ahost.com.
55
56       For saned to work properly, it is also necessary to add a configuration
57       line to /etc/inetd.conf.  Note that your inetd must support IPv6 if you
58       want to connect to saned over IPv6 ; xinetd and openbsd-inetd are known
59       to support IPv6, check the documentation for your inetd daemon.
60
61       The configuration line normally looks like this:
62
63              sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
64
65       However, if your system uses tcpd(8) for additional security screening,
66       you may want to disable  saned  access  control  by  putting  ``+''  in
67       saned.conf  and  use  a  line  of the following form in /etc/inetd.conf
68       instead:
69
70              sane-port   stream   tcp   nowait   saned.saned   /usr/sbin/tcpd
71              /usr/sbin/saned
72
73       Note  that both examples assume that there is a saned group and a saned
74       user.  If you follow this example, please make  sure  that  the  access
75       permissions  on  the  special device are set such that saned can access
76       the scanner (the program generally needs read and write access to scan‐
77       ner devices).
78
79       If  xinetd  is  installed on your system instead of inetd the following
80       example for xinetd.conf may be helpful:
81
82              # default: off
83              # description: The sane server accepts requests
84              # for network access to a local scanner via the
85              # network.
86              service sane-port
87              {
88                 port        = 6566
89                 socket_type = stream
90                 wait        = no
91                 user        = saned
92                 group       = saned
93                 server      = /usr/sbin/saned
94              }
95
96       Finally, it is also necessary to add a line of the  following  form  to
97       /etc/services:
98
99              sane-port 6566/tcp # SANE network scanner daemon
100
101       The  official  IANA  short name for port 6566 is "sane-port". The older
102       name "sane" is now deprecated.
103
104

RESTRICTIONS

106       In addition to the control connection (port 6566)  saned  also  uses  a
107       data  connection.  The port of this socket is selected by the operating
108       system and can't be specified by the user  currently.  This  may  be  a
109       problem  if  the connection must go through a firewall (packet filter).
110       If you must use a packet filter, make sure that all ports  >  1024  are
111       open on the server for connections from the client.
112
113

FILES

115       /etc/hosts.equiv
116              The  hosts listed in this file are permitted to access all local
117              SANE devices.  Caveat: this file imposes serious security  risks
118              and its use is not recommended.
119
120       /etc/sane.d/saned.conf
121              Contains  a list of hosts permitted to access local SANE devices
122              (see also description of SANE_CONFIG_DIR below).
123
124       /etc/sane.d/saned.users
125              If this file contains lines of the form
126
127              user:password:backend
128
129              access to the listed backends is restricted. A  backend  may  be
130              listed  multiple times for different user/password combinations.
131              The server uses MD5 encryption if supported by the client.
132

ENVIRONMENT

134       SANE_CONFIG_DIR
135              This environment variable specifies the list of directories that
136              may contain the configuration file.  Under UNIX, the directories
137              are separated by a colon (`:'), under OS/2, they  are  separated
138              by a semi-colon (`;').  If this variable is not set, the config‐
139              uration file is searched in two default directories: first,  the
140              current working directory (".") and then in /etc/sane.d.  If the
141              value of the environment variable ends with the directory  sepa‐
142              rator character, then the default directories are searched after
143              the explicitly  specified  directories.   For  example,  setting
144              SANE_CONFIG_DIR  to  "/tmp/config:"  would result in directories
145              "tmp/config", ".", and "/etc/sane.d"  being  searched  (in  this
146              order).
147
148

AUTHOR

155       David Mosberger
156
157
158
159sane-backends 1.0.18              30 May 2004                         saned(8)