AirSane icon indicating copy to clipboard operation
AirSane copied to clipboard

Published 20 hours ago verified publisher icon SimulPiscator

Feature: restrict access to LAN only

Open ValdikSS opened this issue 9 months ago • 12 comments

First of all, thanks for such a beautiful software! I've converted my Samsung MFP from 2005 into a driverless networked printer+scanner, and it works perfectly fine!

Current AirSane version does not support IP-level access control, which may be a security issue due to rather widespread IPv6 connectivity with 'real' addresses. CUPS has 'allow LAN access only' convenient checkbox, it would be great to have the same functionality in AirSane without nginx/other web front-end.

It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask. Thanks.

ValdikSS avatar Sep 28 '23 18:09 ValdikSS

Publicly accessible installations found with Censys (all without scanners connected): http://24.200.4.50:8090/ http://5.38.245.134:8090/

Screenshot_20230929_170831-fs8

ValdikSS avatar Sep 29 '23 14:09 ValdikSS

Thanks for the information! I will implement the suggested feature soon.

SimulPiscator avatar Sep 29 '23 15:09 SimulPiscator

I've now pushed a version (b3fc1e9) that implements an access list which can be used to restrict access to certain IPs, and IP ranges.

SimulPiscator avatar Oct 08 '23 19:10 SimulPiscator

Thanks, that looks good.

However more and more ISPs are starting to serve IPv6, the address in which are globally routed on each device. That means there's no easy way to fill the IPv6 range in a static text file, it would require modification for every ISP IPv6 range, and the default installations would most probably reject LAN access over IPv6 in this case, which is not perfect. IPv6 has higher priority than IPv4 and not all software implement Happy Eyeballs fallback algorithm. For such software inability to connect over IPv6 would be permanent failure.

That's why I wrote:

It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask.

In the meaning that the daemon should enumerate IP addresses which are currently assigned to the interface and create access list based on it.

ValdikSS avatar Oct 08 '23 19:10 ValdikSS

I think I understand your problem but I don't see how I could solve it by enumerating network IPs and masks. If the IP is public, wouldn't the mask allow public access as well? I have to admit I'm not familiar with how IPv6 works.

SimulPiscator avatar Oct 08 '23 20:10 SimulPiscator

Let's say I have 2a03:2880:f10a:83:face:b00c:0:25de/64 address on my eth0 network interface. This is 2a03:2880:f10a:83:face:b00c:0:25de address with 64 CIDR (ffff:ffff:ffff:ffff:: netmask), the range is 2a03:2880:f10a:83:: - 2a03:2880:f10a:83:ffff:ffff:ffff:ffff.

2a03:2880:f10a:83::/64 should be considered local network in this case.

Just as if the server have 8.8.8.8/24 IPv4 address, 8.8.8.0 - 8.8.8.255 network is considered local.

ValdikSS avatar Oct 08 '23 21:10 ValdikSS

It's done, thank you for your input!

SimulPiscator avatar Oct 11 '23 08:10 SimulPiscator

Great, thanks!

ValdikSS avatar Oct 11 '23 15:10 ValdikSS

Unfortunately, the current implementation seem to be buggy. Check this log right after the start (don't look at the date/time, it's been synced during the run):

Sep 20 15:15:22 uowprint.local systemd[1]: Started airsaned.service - AirSane Imaging Service.
Sep 20 15:15:23 uowprint.local airsaned[370]: git commit: a908079 (branch HEAD, rev 280+)
Sep 20 15:15:23 uowprint.local airsaned[370]: build date: 2023-11-04T13:28:27Z
Sep 20 15:15:23 uowprint.local airsaned[370]: reading access rules from file /etc/airsane/access.conf
Sep 20 15:15:23 uowprint.local airsaned[370]: start time is 11.14
Sep 20 15:15:23 uowprint.local airsaned[370]: reading device options from '/etc/airsane/options.conf'
Sep 20 15:15:23 uowprint.local airsaned[370]: enumerating  devices...
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_get_devices() ...
Sep 20 15:15:40 uowprint.local airsaned[370]: ... sane_get_devices() -> SANE_Status Success
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: found: xerox_mfp:libusb:001:002 (SAMSUNG ORION)
Sep 20 15:15:40 uowprint.local airsaned[370]: stable unique name: xerox_mfp:SAMSUNG ORION:1
Sep 20 15:15:40 uowprint.local airsaned[370]: uuid: fbfdccc8-39cd-5da1-936b-00713655d959
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_open(xerox_mfp:libusb:001:002) -> 0xb45a3e90
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "Flatbed"
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "ADF"
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_close(0xb45a3e90)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: published as 'SAMSUNG ORION'
Sep 20 15:15:40 uowprint.local airsaned[370]: end time is 28.74
Sep 20 15:15:40 uowprint.local airsaned[370]: startup took 17.60 secconds
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 127.0.0.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.54.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.69.138:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [::1]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [2a05:a403:1:c003:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fd83:bd69:5c05:0:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fe80::208:22ff:fe0b:a7fe]:8090
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying 192.168.69.109: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched

systemctl reload airsaned usually fixes the issue. No problem with static ranges in access.conf. I assume there's a race condition somewhere.

ValdikSS avatar Nov 04 '23 16:11 ValdikSS

Another issue, although not directly related to this feature, is that AirSane does not support network interface modification events. If AirSane is started first, and after that connection to Wi-Fi have been made, the Wi-Fi interface won't be listened on by AirSane with --interface=*. This is also fixed with systemctl reload airsaned.

ValdikSS avatar Nov 04 '23 16:11 ValdikSS

That's a great suggestion, I'll see what I can come up with.

SimulPiscator avatar Nov 04 '23 17:11 SimulPiscator

I tried to address the above issue by adding a mutex. I didn't see much opportunity for a concurrency issue, though.

SimulPiscator avatar Nov 04 '23 17:11 SimulPiscator