I've upgraded a box here to running the latest version of Gentoo/Hardened Linux (SELinux) mainly as a bit of a learning toy. This machine, before the upgrade had a Umax Mirage IISE Scanner (SCSI) plugged into it, and it shared this across the network for the other PCs. Since the update, however, I've been unable to share the scanner across a network. * I have emerged xinetd and configured /etc/xinetd.conf and /etc/xinetd.d/sane to start the scanner daemon * I've updated /etc/services -- as the official service name for SANE is "sane-port"... and * I've edited /etc/sane.d/saned.conf to allow my local subnets (10.0.0.0/24, 172.16.0.0/14 and 192.168.0.0/16) Dispite this, running saned either via xinetd, or via 'saned -d128' on the command line, fails to honour /etc/sane.d/saned.conf. Reproducible: Always Steps to Reproduce: 1. emerge sane-backends 2. Add the subnets in /etc/sane.d/saned.conf to allow local networks 3. saned -d128 4. try to access the scanner from a remote machine Actual Results: (12:42) beast root # ssh linux saned -d128 Warning: Permanently added the RSA host key f(12:42) beast root # ssh linux saned -d128 Warning: Permanently added the RSA host key for IP address '192.168.10.237' to the list of known hosts. Password: [saned] main: starting debug mode (level 128) [saned] main: trying to get port for service `sane' (getservbyname) [saned] main: port is 6566 [saned] main: socket () [saned] main: setsockopt () [saned] main: bind () [saned] main: listen () [saned] main: waiting for control connection [saned] saned from sane-backends 1.0.15 ready [saned] check_host: access by remote host: 10.0.0.251 [saned] check_host: remote host is not IN_LOOPBACK [saned] check_host: local hostname: linux [saned] check_host: gethostbyname failed: Success [saned] init: access by host 10.0.0.251 denied [saned] quit: exiting xsane reports "no devices found". Expected Results: Desktop machine should've been granted access to the scanner. linux root # emerge info Portage 2.0.51.19 (selinux/2004.1/x86, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.10-hardened-r3-linuxbox i686) ================================================================= System uname: 2.6.10-hardened-r3-linuxbox i686 Intel(R) Pentium(R) 4 CPU 1.90GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar 12 2005, 00:11:59)] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.8.5-r3, 1.6.3, 1.7.9-r1, 1.4_p6, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.4.22-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -mcpu=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -mcpu=pentium4 -pipe" DISTDIR="/home/portage/distfiles" FEATURES="autoaddcvs autoconfig buildpkg ccache distcc distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://192.168.5.1/portage http://mirror.aarnet.edu.au/pub/gentoo http://public.ftp.planetmirror.com/pub/gentoo" MAKEOPTS="-j8" PKGDIR="/home/portage/packages/ia32/pentium4/" PORTAGE_TMPDIR="/home/portage" PORTDIR="/usr/portage" SYNC="rsync://192.168.5.1/gentoo-portage" USE="X aalib alsa arts audiofile avi berkdb bitmap-fonts cdparanoia cdr crypt cups curl djbfft doc dv dvd dvdr encode fam flac gif gimpprint gtk gtk2 imagemagick imlib ipv6 jpeg kde kdeenablefinal ldap mad mmx mng motif mpeg mysql ncurses nls oggvorbis opengl pam perl png python qt readline samba scanner sdl selinux sndfile speex sse ssl svg svga tcpd tiff truetype v4l wmf x86 xine xinerama xml xml2 xmms xv xvid yv12 zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY linux root # cat /etc/sane.d/saned.conf # # saned.conf # # The contents of the saned.conf file is a list of host names, IP # addresses or IP subnets (CIDR notation) that are permitted to use local # SANE devices. IPv6 addresses must be enclosed in brackets, and should # always be specified in their compressed form. # # The hostname matching is not case-sensitive. # #scan-client.somedomain.firm #192.168.0.1 #192.168.0.1/29 #[2001:7a8:185e::42:12] #[2001:7a8:185e::42:12]/64 # # NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and # /etc/services must also be properly configured to start # the saned daemon as documented in saned(1), services(4) # and inetd.conf(4) (or xinetd.conf(5)). # Allow anyone 0.0.0.0/0 (Note ... I've also tried 10.0.0.0/24 and a number of other options... but it appears this file isn't even checked) linux root # cat /proc/scsi/scsi Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: IBM Model: IC35L036UWDY10-0 Rev: S23C Type: Direct-Access ANSI SCSI revision: 03 Host: scsi0 Channel: 00 Id: 02 Lun: 00 Vendor: SONY Model: CD-ROM CDU-415 Rev: 1.1i Type: CD-ROM ANSI SCSI revision: 02 Host: scsi0 Channel: 00 Id: 03 Lun: 00 Vendor: RICOH Model: CD-R/RW MP7060S Rev: 1.70 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi0 Channel: 00 Id: 06 Lun: 00 Vendor: UMAX Model: Mirage IIse Rev: V1.2 Type: Scanner ANSI SCSI revision: 02 (and there is the scanner that I'm trying to share) linux root # There's no messages in 'dmesg' when I run saned (debug mode) either ... although a number of access violations pop up when running via xinetd. I'm running in permissive mode. Any ideas?
Forgot to mention... the scanner does work locally. e.g. the following works: (13:00) beast root # xhost +linux linux being added to access control list (13:00) beast root # ssh linux Password: Last login: Sun Mar 20 12:53:12 2005 from 10.0.0.251 linux root # DISPLAY=10.0.0.251:0.0 xsane xsane pops up, and I'm able to scan from this dialogue.
Sorry for the late reply, just returned from holidays. Which sane-backends version did you run back then when it worked?
I can't reproduce your problem, but my debug output differs significantly from yours. [saned] main: starting debug mode (level 128) [saned] main: trying to get port for service `sane-port' (getaddrinfo) [saned] main: [0] socket () using IPv6 [saned] main: [0] setsockopt () [saned] main: [0] bind () to port 6566 [saned] main: [0] listen () [saned] main: [1] socket () using IPv4 [saned] main: [1] setsockopt () [saned] main: [1] bind () to port 6566 [saned] main: [1] bind failed: Address already in use [saned] main: waiting for control connection [saned] saned (AF-indep+IPv6) from sane-backends 1.0.15 ready [saned] check_host: detected an IPv4-mapped address [saned] check_host: access by remote host: ::ffff:134.147.66.135 [saned] check_host: remote host is not IN_LOOPBACK nor IN6_LOOPBACK [saned] check_host: local hostname: zaphod [saned] check_host: local hostname(s) (from DNS): zaphod.anachem.ruhr-uni-bochum.de [saned] check_host: local hostname(s) (from DNS): (null) [saned] check_host: local hostname(s) (from DNS): (null) [saned] check_host: remote host doesn't have same addr as local [saned] check_host: opening config file: /etc/hosts.equiv [saned] check_host: can't open config file: /etc/hosts.equiv (No such file or directory) [saned] check_host: opening config file: saned.conf [saned] check_host: config file line: `#' (some stuff snipped here) [saned] check_host: config file line: `0.0.0.0/0' [saned] check_host: subnet with base IP = 0.0.0.0, CIDR netmask = 0 [saned] check_host: access granted from IP address 134.147.66.135 (in subnet 0.0.0.0/0) [saned] init: access granted I see from your USE flags that you have ipv6 support enabled, but I see nothing related in your debug output, so I guess that your emerge info does not reflect the situation when you built sane-backends. I rebuilt my sane-backends without ipv6 support, and access control still seems to work as advertised. Maybe the relevant part is this: [saned] check_host: remote host is not IN_LOOPBACK [saned] check_host: local hostname: zaphod [saned] check_host: local hostname (from DNS): zaphod.anachem.ruhr-uni-bochum.de [saned] check_host: local host address (from DNS): 134.147.66.171 [saned] check_host: remote host doesn't have same addr as local [saned] check_host: opening config file: /etc/hosts.equiv [saned] check_host: can't open config file: /etc/hosts.equiv (No such file or directory) [saned] check_host: opening config file: saned.conf So, saned tries to lookup the local address from the local hostname to determine if it is a remote address or not. On your machine gethostbyname fails for "linux" and saned aborts the whole access check procedure - and rejects the connection. Please make sure your machine can lookup its own address. Re-open this bug if gethostbyname works and access control still doesn't.
