diff options
Diffstat (limited to 'doc/saned.man')
| -rw-r--r-- | doc/saned.man | 329 |
1 files changed, 30 insertions, 299 deletions
diff --git a/doc/saned.man b/doc/saned.man index d91f817..400ab6c 100644 --- a/doc/saned.man +++ b/doc/saned.man @@ -24,6 +24,9 @@ saned \- SANE network daemon .B ] .B [ \-e ] .B [ \-h ] +.B [ \-B +.I buffer-size +.B ] .SH DESCRIPTION .B saned @@ -115,33 +118,15 @@ will divert debug output to stderr instead of the syslog default. .TP +.BR \-B ", " \-\-buffer-size=\fIbuffer\-size\fR +specifies the size of the read buffer used for communication with the backend in KB. +Default value is 1MB. + +.TP .BR \-h ", " \-\-help displays a short help message. -.PP -If -.B saned -is run from other programs such as -.BR inetd (8), -.BR xinetd (8) -and -.BR systemd (1), -check that program's documentation on how to pass command-line options. .SH CONFIGURATION -First and foremost: -.B saned -is not intended to be exposed to the internet or other non-trusted -networks. Make sure that access is limited by tcpwrappers and/or a firewall -setup. Don't depend only on -.BR saned 's -own authentication. Don't run -.B saned -as root if it's not necessary. And do -.B not -install -.B saned -as setuid root. -.PP The .I saned.conf configuration file contains both options for the daemon and the access @@ -199,282 +184,6 @@ scan\-client.somedomain.firm .PP The case of the host names does not matter, so AHost.COM is considered identical to ahost.com. -.SH SERVER DAEMON CONFIGURATION -For -.B saned -to work properly in its default mode of operation, it is also necessary to -add the appropriate configuration for -.BR xinetd (8), -.BR inetd (8) -or -.BR systemd (1) -(see below). -Note that your -.BR inetd (8) -must support IPv6 if you want to connect to -.B saned -over IPv6; -.BR xinetd (8), -.BR openbsd-inetd (8) -and -.BR systemd (1) -are known to support IPv6, check the documentation for your -.BR inetd (8) -daemon. -.PP -In the sections below the configuration for -.BR inetd (8), -.BR xinetd (8) -and -.BR systemd (1) -are described in more detail. -.PP -For the configurations below it is necessary to add a line of the following -form to -.IR /etc/services : -.PP -.RS -sane\-port 6566/tcp # SANE network scanner daemon -.RE -.PP -The official IANA short name for port 6566 is "sane\-port". The older name -"sane" is now deprecated. - -.SH INETD CONFIGURATION -It is required to add a single line to the -.BR inetd (8) -configuration file -.IR (/etc/inetd.conf) -. -.PP -The configuration line normally looks like this: -.PP -.RS -sane\-port stream tcp nowait saned.saned @SBINDIR@/saned saned -.RE -.PP -However, if your system uses -.BR tcpd (8) -for additional security screening, you may want to disable -.B saned -access control by putting ``+'' in -.IR saned.conf -and use a line of the following form in -.IR /etc/inetd.conf -instead: -.PP -.RS -sane\-port stream tcp nowait saned.saned /usr/sbin/tcpd @SBINDIR@/saned -.RE -.PP -Note that both examples assume that there is a -.B saned -group and a -.B saned -user. If you follow this example, please make sure that the -access permissions on the special device are set such that -.B saned -can access the scanner (the program generally needs read and -write access to scanner devices). - -.SH XINETD CONFIGURATION -If -.BR xinetd (8) -is installed on your system instead of -.BR inetd (8) -the following example for -.I /etc/xinetd.conf -may be helpful: -.PP -.RS -.ft CR -.nf -# default: off -# description: The sane server accepts requests -# for network access to a local scanner via the -# network. -service sane\-port -{ - port = 6566 - socket_type = stream - wait = no - user = saned - group = saned - server = @SBINDIR@/saned -} -.fi -.ft R -.RE - -.SH SYSTEMD CONFIGURATION -.B saned -can be compiled with explicit -.BR systemd (1) -support. This -will allow logging debugging information to be forwarded -to the -.BR systemd (1) -journal. The -.BR systemd (1) -support requires compilation with the systemd-devel package -installed on the system. This is the preferred option. - -.B saned -can be used with -.BR systemd (1) -without the -.BR systemd (1) -integration compiled in, but then logging of debug information is not supported. - -The -.BR systemd (1) -configuration is different for the 2 options, so both are described below. - -.SH Systemd configuration for saned with systemd support compiled in -For -.BR systemd (1) -configuration we need to add 2 configuration files in -.IR /etc/systemd/system . -.PP -The first file we need to add here is called -.I saned.socket. -It shall have -the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=saned incoming socket - -[Socket] -ListenStream=6566 -Accept=yes -MaxConnections=1 - -[Install] -WantedBy=sockets.target -.fi -.ft R -.RE -.PP -The second file to be added is -.I saned@.service -with the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=Scanner Service -Requires=saned.socket - -[Service] -ExecStart=/usr/sbin/saned -User=saned -Group=saned -StandardInput=null -StandardOutput=syslog -StandardError=syslog -Environment=SANE_CONFIG_DIR=@CONFIGDIR@ -# If you need to debug your configuration uncomment the next line and -# change it as appropriate to set the desired debug options -# Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5 - -[Install] -Also=saned.socket -.fi -.ft R -.RE -.PP -You need to set an environment variable for -.B SANE_CONFIG_DIR -pointing to the directory where -.B saned -can find its configuration files. -You will have to remove the # on the last line and set the variables -for the desired debugging information if required. Multiple variables -can be set by separating the assignments by spaces as shown in the -example above. -.PP -Unlike -.BR xinetd (8) -and -.BR inetd (8), -.BR systemd (1) -allows debugging output from backends set using -.B SANE_DEBUG_XXX -to be captured. See the man-page for your backend to see what options -are supported. -With the service unit as described above, the debugging output is -forwarded to the system log. - -.SH Systemd configuration when saned is compiled without systemd support -This configuration will also work when -.B saned -is compiled WITH -.BR systemd (1) -integration support, but it does not allow debugging information to be logged. -.PP -For -.BR systemd (1) -configuration for -.BR saned , -we need to add 2 configuration files in -.IR /etc/systemd/system . -.PP -The first file we need to add here is called -.I saned.socket. -It is identical to the version for -.BR systemd (1) -with the support compiled in. -It shall have the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=saned incoming socket - -[Socket] -ListenStream=6566 -Accept=yes -MaxConnections=1 - -[Install] -WantedBy=sockets.target -.fi -.ft R -.RE -.PP -The second file to be added is -.IR saned@.service . -This one differs from the version with -.BR systemd (1) -integration compiled in: -.PP -.RS -.ft CR -.nf -[Unit] -Description=Scanner Service -Requires=saned.socket - -[Service] -ExecStart=/usr/sbin/saned -User=saned -Group=saned -StandardInput=socket - -Environment=SANE_CONFIG_DIR=/etc/sane.d - -[Install] -Also=saned.socket -.fi -.ft R -.RE -.PP - .SH FILES .TP .I /etc/hosts.equiv @@ -518,6 +227,28 @@ and .I "@CONFIGDIR@" being searched (in this order). +.SH NOTES +.B saned +does +.I not +provide confidentiality when communicating with clients. If +.B saned +is exposed directly on the network, other users may be able to intercept +scanned images, or learn passwords for connecting to +.BR saned , +with little effort. Client systems should connect to +.B saned +through a secure tunnel to the server instead. +.PP +.B saned +is not a trusted program and should not run with root privileges. +.PP +Refer to +.I @DOCDIR@/saned/saned.install.md +for details on configuring +.B saned +as a service. + .SH "SEE ALSO" .BR sane (7), .BR scanimage (1), |