From 2b20ad5b127cee25984cdd0af5a53d6055ee1e08 Mon Sep 17 00:00:00 2001 From: Ralph Little Date: Mon, 20 Feb 2023 20:14:58 -0800 Subject: [PATCH] doc: merge changes from default, related to removal of init system config. --- doc/saned.man | 304 ++++---------------------------------------------- 1 file changed, 23 insertions(+), 281 deletions(-) diff --git a/doc/saned.man b/doc/saned.man index 57d6a6d43..7fa52004c 100644 --- a/doc/saned.man +++ b/doc/saned.man @@ -207,285 +207,6 @@ scan\-client.somedomain.firm .PP The case of the host names does not matter, so AHost.COM is considered identical to ahost.com. -.SH SERVER DAEMON CONFIGURATION -For -.B saned -to work properly in its default mode of operation, it is also necessary to -add the appropriate configuration for -.BR xinetd (8), -.BR inetd (8) -or -.BR systemd (1) -(see below). -Note that your -.BR inetd (8) -must support IPv6 if you want to connect to -.B saned -over IPv6; -.BR xinetd (8), -.BR openbsd-inetd (8) -and -.BR systemd (1) -are known to support IPv6, check the documentation for your -.BR inetd (8) -daemon. -.PP -In the sections below the configuration for -.BR inetd (8), -.BR xinetd (8) -and -.BR systemd (1) -are described in more detail. -.PP -For the configurations below it is necessary to add a line of the following -form to -.IR /etc/services : -.PP -.RS -sane\-port 6566/tcp # SANE network scanner daemon -.RE -.PP -The official IANA short name for port 6566 is "sane\-port". The older name -"sane" is now deprecated. - -.SH INETD CONFIGURATION -It is required to add a single line to the -.BR inetd (8) -configuration file -.IR (/etc/inetd.conf) -. -.PP -The configuration line normally looks like this: -.PP -.RS -sane\-port stream tcp nowait saned.saned @SBINDIR@/saned saned -.RE -.PP -However, if your system uses -.BR tcpd (8) -for additional security screening, you may want to disable -.B saned -access control by putting ``+'' in -.IR saned.conf -and use a line of the following form in -.IR /etc/inetd.conf -instead: -.PP -.RS -sane\-port stream tcp nowait saned.saned /usr/sbin/tcpd @SBINDIR@/saned -.RE -.PP -Note that both examples assume that there is a -.B saned -group and a -.B saned -user. If you follow this example, please make sure that the -access permissions on the special device are set such that -.B saned -can access the scanner (the program generally needs read and -write access to scanner devices). - -.SH XINETD CONFIGURATION -If -.BR xinetd (8) -is installed on your system instead of -.BR inetd (8) -the following example for -.I /etc/xinetd.conf -may be helpful: -.PP -.RS -.ft CR -.nf -# default: off -# description: The sane server accepts requests -# for network access to a local scanner via the -# network. -service sane\-port -{ - port = 6566 - socket_type = stream - wait = no - user = saned - group = saned - server = @SBINDIR@/saned -} -.fi -.ft R -.RE - -.SH SYSTEMD CONFIGURATION -.B saned -can be compiled with explicit -.BR systemd (1) -support. This -will allow logging debugging information to be forwarded -to the -.BR systemd (1) -journal. The -.BR systemd (1) -support requires compilation with the -.BR systemd (1) -development package installed on the system. This is the preferred option. - -.B saned -can be used with -.BR systemd (1) -without the -.BR systemd (1) -integration compiled in, but then logging of debug information is not supported. - -The -.BR systemd (1) -configuration is different for the 2 options, so both are described below. - -.SH Systemd configuration for -.B saned -with systemd support compiled in -For -.BR systemd (1) -configuration we need to add 2 configuration files in -.IR /etc/systemd/system . -.PP -The first file we need to add here is called -.IR saned.socket . -It shall have -the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=saned incoming socket - -[Socket] -ListenStream=6566 -Accept=yes -MaxConnections=1 - -[Install] -WantedBy=sockets.target -.fi -.ft R -.RE -.PP -The second file to be added is -.I saned@.service -with the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=Scanner Service -Requires=saned.socket - -[Service] -ExecStart=/usr/sbin/saned -User=saned -Group=saned -StandardInput=null -StandardOutput=syslog -StandardError=syslog -Environment=SANE_CONFIG_DIR=@CONFIGDIR@ -# If you need to debug your configuration uncomment the next line and -# change it as appropriate to set the desired debug options -# Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5 - -[Install] -Also=saned.socket -.fi -.ft R -.RE -.PP -You need to set an environment variable for -.B SANE_CONFIG_DIR -pointing to the directory where -.B saned -can find its configuration files. -You will have to remove the # on the last line and set the variables -for the desired debugging information if required. Multiple variables -can be set by separating the assignments by spaces as shown in the -example above. -.PP -Unlike -.BR xinetd (8) -and -.BR inetd (8), -.BR systemd (1) -allows debugging output from backends set using -.B SANE_DEBUG_XXX -to be captured. See the man-page for your backend to see what options -are supported. -With the service unit as described above, the debugging output is -forwarded to the system log. - -.SH Systemd configuration when saned is compiled without systemd support -This configuration will also work when -.B saned -is compiled WITH -.BR systemd (1) -integration support, but it does not allow debugging information to be logged. -.PP -For -.BR systemd (1) -configuration for -.BR saned , -we need to add 2 configuration files in -.IR /etc/systemd/system . -.PP -The first file we need to add here is called -.IR saned.socket . -It is identical to the version for -.BR systemd (1) -with the support compiled in. -It shall have the following contents: -.PP -.RS -.ft CR -.nf -[Unit] -Description=saned incoming socket - -[Socket] -ListenStream=6566 -Accept=yes -MaxConnections=1 - -[Install] -WantedBy=sockets.target -.fi -.ft R -.RE -.PP -The second file to be added is -.IR saned@.service . -This one differs from the version with -.BR systemd (1) -integration compiled in: -.PP -.RS -.ft CR -.nf -[Unit] -Description=Scanner Service -Requires=saned.socket - -[Service] -ExecStart=/usr/sbin/saned -User=saned -Group=saned -StandardInput=socket - -Environment=SANE_CONFIG_DIR=/etc/sane.d - -[Install] -Also=saned.socket -.fi -.ft R -.RE -.PP - .SH FILES .TP .I /etc/hosts.equiv @@ -529,6 +250,28 @@ and .I "@CONFIGDIR@" being searched (in this order). +.SH NOTES +.B saned +does +.I not +provide confidentiality when communicating with clients. If +.B saned +is exposed directly on the network, other users may be able to intercept +scanned images, or learn passwords for connecting to +.BR saned , +with little effort. Client systems should connect to +.B saned +through a secure tunnel to the server instead. +.PP +.B saned +is not a trusted program and should not run with root privileges. +.PP +Refer to +.I @DOCDIR@/saned/saned.install.md +for details on configuring +.B saned +as a service. + .SH "SEE ALSO" .BR sane (7), .BR scanimage (1), @@ -536,12 +279,11 @@ being searched (in this order). .BR xcam (1), .BR sane\-dll (5), .BR sane\-net (5), +.BR sane\-"backendname" (5), .BR inetd (8), .BR xinetd (8), .BR systemd (1) .br -Backend-specific man pages. -.br .I http://www.penguin-breeder.org/?page=sane\-net .SH AUTHOR David Mosberger