Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
saned(8)		 SANE Scanner Access Now Easy		      saned(8)

       saned - SANE network daemon

       saned  [	-a [ username ]	] [ -u username	] [ -b address ] [ -p port ] [
       -l ] [ -D ] [ -o	] [ -d n ] [ -e	] [ -h ]

       saned is	the SANE (Scanner Access Now Easy) daemon that	allows	remote
       clients	to  access  image  acquisition	devices	available on the local

       The -l flag requests that saned run in standalone daemon	mode.  In this
       mode,  saned  will  listen for incoming client connections; inetd(8) is
       not required for	saned operations in this mode. The -b flag tells saned
       to  bind	 to  the address given.	 The -p	flags tells saned to listen on
       the port	given.	A value	of 0 tells saned to pick an unused port.   The
       default	is the sane-port (6566).  The -u flag requests that saned drop
       root privileges and run as the user (and	group) associated  with	 user-
       name  after binding.  The -D flag will request saned to detach from the
       console and run in the background.  The flag -a is  equivalent  to  the
       combination of -l -B -u username	options.

       The  -d	flag sets the level of saned debug output.  When compiled with
       debugging enabled, this flag may	be followed by	a  number  to  request
       more  or	 less debug info.  The larger the number, the more verbose the
       debug output.  E.g., -d128 will request output of all  debug  info.   A
       level of	0 produces no output at	all.  The default value	is 2.

       The  -e	flag  will  divert saned debug output to stderr	instead	of the
       syslog default.

       The -o flag requests that saned exits after the	first  client  discon-
       nects.  This is useful for debugging.

       The -h flag displays a short help message.

       If  saned  is  run  from	other programs such as inetd(8), xinetd(8) and
       systemd(1), check that program's	documentation on how to	pass  command-
       line options.

       First and foremost: saned is not	intended to be exposed to the internet
       or other	non-trusted networks. Make sure	that access is limited by tcp-
       wrappers	 and/or	a firewall setup. Don't	depend only on saned's own au-
       thentication. Don't run saned as	root if	it's not necessary. And	do not
       install saned as	setuid root.

       The  saned.conf configuration file contains both	options	for the	daemon
       and the access list.

       data_portrange =	min_port - max_port
	      Specify the port range to	use for	the data  connection.  Pick  a
	      port  range  between 1024	and 65535; don't pick a	too large port
	      range, as	it may have performance	issues.	 Use  this  option  if
	      your saned server	is sitting behind a firewall. If that firewall
	      is a Linux machine, we strongly recommend	 using	the  Netfilter
	      nf_conntrack_sane	module instead.

       data_connect_timeout = timeout
	      Specify the time in milliseconds that saned will wait for	a data
	      connection. Without this option, if the data connection  is  not
	      done  before  the	 scanner  reaches the end of scan, the scanner
	      will continue to scan past the end and may damage	 it  depending
	      on  the  backend.	Specify	zero to	have the old behavior. The de-
	      fault is 4000ms.

       The access list is a list of host names,	IP  addresses  or  IP  subnets
       (CIDR  notation)	that are permitted to use local	SANE devices. IPv6 ad-
       dresses must be enclosed	in brackets, and should	always be specified in
       their compressed	form. Connections from localhost are always permitted.
       Empty lines and lines starting with a hash mark (#) are ignored.	A line
       containing the single character ``+'' is	interpreted to match any host-
       name. This allows any remote  machine  to  use  your  scanner  and  may
       present a security risk,	so this	shouldn't be used unless you know what
       you're doing.

       A sample	configuration file is shown below:

	      #	Daemon options
	      data_portrange = 10000 - 10100
	      #	Access list
	      #	this is	a comment

       The case	of the host names does not matter, so AHost.COM	is  considered
       identical to

       For saned to work properly in its default mode of operation, it is also
       necessary to add	the appropriate	configuration for xinetd(8),  inetd(8)
       or  systemd(1)  (see below).  Note that your inetd(8) must support IPv6
       if you want to connect to saned over IPv6; xinetd(8),  openbsd-inetd(8)
       and  systemd(1)	are known to support IPv6, check the documentation for
       your inetd(8) daemon.

       In the sections below the configuration	for  inetd(8),	xinetd(8)  and
       systemd(1) are described	in more	detail.

       For  the	configurations below it	is necessary to	add a line of the fol-
       lowing form to /etc/services:

	      sane-port	6566/tcp # SANE	network	scanner	daemon

       The official IANA short name for	port 6566 is  "sane-port".  The	 older
       name "sane" is now deprecated.

       It  is required to add a	single line to the inetd(8) configuration file

       The configuration line normally looks like this:

	      sane-port	stream tcp  nowait  saned.saned	 /usr/local/sbin/saned

       However,	if your	system uses tcpd(8) for	additional security screening,
       you may want to disable	saned  access  control	by  putting  ``+''  in
       saned.conf  and use a line of the following form	in /etc/inetd.conf in-

	      sane-port	stream tcp nowait saned.saned /usr/sbin/tcpd  /usr/lo-

       Note  that both examples	assume that there is a saned group and a saned
       user.  If you follow this example, please make  sure  that  the	access
       permissions  on	the  special device are	set such that saned can	access
       the scanner (the	program	generally needs	read and write access to scan-
       ner devices).

       If  xinetd(8)  is installed on your system instead of inetd(8) the fol-
       lowing example for /etc/xinetd.conf may be helpful:

	      #	default: off
	      #	description: The sane server accepts requests
	      #	for network access to a	local scanner via the
	      #	network.
	      service sane-port
		 port	     = 6566
		 socket_type = stream
		 wait	     = no
		 user	     = saned
		 group	     = saned
		 server	     = /usr/local/sbin/saned

       saned can be compiled with explicit systemd(1)support.This  will	 allow
       logging	debugging  information to be forwarded to the systemd(1) jour-
       nal. The	systemd(1) support requires compilation	with the systemd-devel
       package installed on the	system.	this is	the preferred option.

       saned  can  be  used with systemd(1) without the	systemd(1) integration
       compiled	in, but	then logging of	debug information is not supported.

       The systemd(1) configuration is different for the 2  options,  so  both
       are described below.

Systemd	configuration for saned	with systemd support compiled in
       For  systemd(1)	configuration  we need to add 2	configuration files in

       The first file we need to add here is called  saned.socket.   It	 shall
       have the	following contents:

	      Description=saned	incoming socket



       The  second  file to be added is	saned@.service with the	following con-

	      Description=Scanner Service

	      #	If you need to debug your configuration	uncomment the next line	and
	      #	change it as appropriate to set	the desired debug options
	      #	Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5


       You need	to set an environment variable for SANE_CONFIG_DIR pointing to
       the  directory  where saned can find its	configuration files.  you will
       have to remove the # on the last	line and set the variables for the de-
       sired debugging information if required.	 Multiple variables can	be set
       by separating the assignments by	spaces as shown	in the example above.

       Unlike xinetd(8)	and inetd(8), systemd(1) allows	debugging output  from
       backends	 set using SANE_DEBUG_XXX to be	captured. See the man-page for
       your backend to see what	options	are  supported.	 With the service unit
       as  described  above,  the  debugging output is forwarded to the	system

Systemd	configuration when saned is compiled without systemd support
       This configuration will also work when  saned  is  compiled  WITH  sys-
       temd(1)integrationsupport,butitdoesnotallowdebugging  information to be

       For systemd(1) configuration for	saned, we need to add 2	 configuration
       files in	/etc/systemd/system.

       The first file we need to add here is called saned.socket.  It is iden-
       tical to	the version for	systemd(1) with	the support compiled  in.   It
       shall have the following	contents:

	      Description=saned	incoming socket



       The second file to be added is saned@.service This one differs from the
       version with systemd(1) integration compiled in:

	      Description=Scanner Service




	      The hosts	listed in this file are	permitted to access all	 local
	      SANE  devices.  Caveat: this file	imposes	serious	security risks
	      and its use is not recommended.

	      Contains a list of hosts permitted to access local SANE  devices
	      (see also	description of SANE_CONFIG_DIR below).

	      If this file contains lines of the form


	      access  to  the  listed backends is restricted. A	backend	may be
	      listed multiple times for	different user/password	 combinations.
	      The server uses MD5 hashing if supported by the client.

	      This environment variable	specifies the list of directories that
	      may contain the configuration file.  Under UNIX, the directories
	      are  separated  by a colon (`:'),	under OS/2, they are separated
	      by a semi-colon (`;').  If this variable is not set, the config-
	      uration  file is searched	in two default directories: first, the
	      current  working	directory   (".")   and	  then	 in   /usr/lo-
	      cal/etc/sane.d.	If  the	value of the environment variable ends
	      with the directory separator character, then the default	direc-
	      tories  are searched after the explicitly	specified directories.
	      For example, setting SANE_CONFIG_DIR to "/tmp/config:" would re-
	      sult in directories tmp/config, ., and /usr/local/etc/sane.d be-
	      ing searched (in this order).

       sane(7),	   scanimage(1),    xscanimage(1),    xcam(1),	  sane-dll(5),
       sane-net(5), sane-"backendname"(5), inetd(8), xinetd(8),	systemd(1),

       David Mosberger

				  29 Sep 2017			      saned(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | CONFIGURATION | SERVER DAEMON CONFIGURATION | INETD CONFIGURATION | XINETD CONFIGURATION | SYSTEMD CONFIGURATION | Systemd configuration for saned with systemd support compiled in | Systemd configuration when saned is compiled without systemd support | FILES | ENVIRONMENT | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:

home | help