From db25c1e7eb942fd24968ea89e0d721a3b43e7ea5 Mon Sep 17 00:00:00 2001 From: David Ward Date: Thu, 14 Apr 2022 19:45:56 -0400 Subject: [PATCH] doc/saned: Improve security warnings The current warnings do not explain to the administrator what risks may actually be involved by exposing saned to the network, so that they can take the appropriate measures. Currently the administrator is advised to restrict incoming connections to saned (using tcpwrappers and/or firewall rules). This might not have been the typical posture when this was written. More importantly, these actions are not meant to protect against a loss of confidentiality, and the administrator should not be led to believe this is the case. Suggest the use of a secure tunnel between each client and saned, which can be achieved without modifying the software. --- PROBLEMS | 14 +++++++------- doc/saned.man | 29 +++++++++++++++-------------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/PROBLEMS b/PROBLEMS index 62466c173..22369b864 100644 --- a/PROBLEMS +++ b/PROBLEMS @@ -1,5 +1,3 @@ -Last update: 2006-01-05 - - Avoiding damage on flatbed scanners Most flatbed scanners have no protection against exceeding the physical scan @@ -15,8 +13,10 @@ Last update: 2006-01-05 - Security problems with saned (SANE network scanning daemon) - saned is not intended to be exposed to the internet or other non-trusted - networks. Make sure that access is limited by tcpwrappers and/or a firewall - setup. Don't depend only on saned's own authentication. Don't run saned - as root if it's not necessary. And do not install saned as setuid root. - Read man saned(8) for details. + saned does not provide confidentiality when communicating with clients. + If saned is exposed directly on the network, other users may be able to + intercept scanned images, or learn passwords for connecting to saned, + with little effort. Client systems should connect to saned through a + secure tunnel to the server instead. + + saned is not a trusted program and should not run with root privileges. diff --git a/doc/saned.man b/doc/saned.man index 65cfc4fca..39bf7dbe7 100644 --- a/doc/saned.man +++ b/doc/saned.man @@ -119,20 +119,6 @@ debug output to stderr instead of the syslog default. displays a short help message. .SH CONFIGURATION -First and foremost: -.B saned -is not intended to be exposed to the internet or other non-trusted -networks. Make sure that access is limited by tcpwrappers and/or a firewall -setup. Don't depend only on -.BR saned 's -own authentication. Don't run -.B saned -as root if it's not necessary. And do -.B not -install -.B saned -as setuid root. -.PP The .I saned.conf configuration file contains both options for the daemon and the access @@ -234,6 +220,21 @@ and being searched (in this order). .SH NOTES +.B saned +does +.I not +provide confidentiality when communicating with clients. If +.B saned +is exposed directly on the network, other users may be able to intercept +scanned images, or learn passwords for connecting to +.BR saned , +with little effort. Client systems should connect to +.B saned +through a secure tunnel to the server instead. +.PP +.B saned +is not a trusted program and should not run with root privileges. +.PP Refer to .I @DOCDIR@/saned/saned.install.md for details on configuring