Feature: restrict access to LAN only
ValdikSS opened this issue · 12 comments
First of all, thanks for such a beautiful software! I've converted my Samsung MFP from 2005 into a driverless networked printer+scanner, and it works perfectly fine!
Current AirSane version does not support IP-level access control, which may be a security issue due to rather widespread IPv6 connectivity with 'real' addresses. CUPS has 'allow LAN access only' convenient checkbox, it would be great to have the same functionality in AirSane without nginx/other web front-end.
It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask.
Thanks.
Publicly accessible installations found with Censys (all without scanners connected):
http://24.200.4.50:8090/
http://5.38.245.134:8090/
Thanks for the information!
I will implement the suggested feature soon.
I've now pushed a version (b3fc1e9) that implements an access list which can be used to restrict access to certain IPs, and IP ranges.
Thanks, that looks good.
However more and more ISPs are starting to serve IPv6, the address in which are globally routed on each device. That means there's no easy way to fill the IPv6 range in a static text file, it would require modification for every ISP IPv6 range, and the default installations would most probably reject LAN access over IPv6 in this case, which is not perfect.
IPv6 has higher priority than IPv4 and not all software implement Happy Eyeballs fallback algorithm. For such software inability to connect over IPv6 would be permanent failure.
That's why I wrote:
It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask.
In the meaning that the daemon should enumerate IP addresses which are currently assigned to the interface and create access list based on it.
I think I understand your problem but I don't see how I could solve it by enumerating network IPs and masks. If the IP is public, wouldn't the mask allow public access as well? I have to admit I'm not familiar with how IPv6 works.
Let's say I have 2a03:2880:f10a:83:face:b00c:0:25de/64
address on my eth0
network interface.
This is 2a03:2880:f10a:83:face:b00c:0:25de
address with 64
CIDR (ffff:ffff:ffff:ffff::
netmask), the range is 2a03:2880:f10a:83:: - 2a03:2880:f10a:83:ffff:ffff:ffff:ffff
.
2a03:2880:f10a:83::/64
should be considered local network in this case.
Just as if the server have 8.8.8.8/24
IPv4 address, 8.8.8.0 - 8.8.8.255
network is considered local.
It's done, thank you for your input!
Great, thanks!
Unfortunately, the current implementation seem to be buggy.
Check this log right after the start (don't look at the date/time, it's been synced during the run):
Sep 20 15:15:22 uowprint.local systemd[1]: Started airsaned.service - AirSane Imaging Service.
Sep 20 15:15:23 uowprint.local airsaned[370]: git commit: a908079 (branch HEAD, rev 280+)
Sep 20 15:15:23 uowprint.local airsaned[370]: build date: 2023-11-04T13:28:27Z
Sep 20 15:15:23 uowprint.local airsaned[370]: reading access rules from file /etc/airsane/access.conf
Sep 20 15:15:23 uowprint.local airsaned[370]: start time is 11.14
Sep 20 15:15:23 uowprint.local airsaned[370]: reading device options from '/etc/airsane/options.conf'
Sep 20 15:15:23 uowprint.local airsaned[370]: enumerating devices...
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_get_devices() ...
Sep 20 15:15:40 uowprint.local airsaned[370]: ... sane_get_devices() -> SANE_Status Success
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: found: xerox_mfp:libusb:001:002 (SAMSUNG ORION)
Sep 20 15:15:40 uowprint.local airsaned[370]: stable unique name: xerox_mfp:SAMSUNG ORION:1
Sep 20 15:15:40 uowprint.local airsaned[370]: uuid: fbfdccc8-39cd-5da1-936b-00713655d959
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_open(xerox_mfp:libusb:001:002) -> 0xb45a3e90
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "Flatbed"
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "ADF"
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_close(0xb45a3e90)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: published as 'SAMSUNG ORION'
Sep 20 15:15:40 uowprint.local airsaned[370]: end time is 28.74
Sep 20 15:15:40 uowprint.local airsaned[370]: startup took 17.60 secconds
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 127.0.0.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.54.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.69.138:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [::1]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [2a05:a403:1:c003:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fd83:bd69:5c05:0:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fe80::208:22ff:fe0b:a7fe]:8090
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying 192.168.69.109: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
systemctl reload airsaned
usually fixes the issue. No problem with static ranges in access.conf
. I assume there's a race condition somewhere.
Another issue, although not directly related to this feature, is that AirSane does not support network interface modification events.
If AirSane is started first, and after that connection to Wi-Fi have been made, the Wi-Fi interface won't be listened on by AirSane with --interface=*
. This is also fixed with systemctl reload airsaned
.
That's a great suggestion, I'll see what I can come up with.
I tried to address the above issue by adding a mutex. I didn't see much opportunity for a concurrency issue, though.