October 27, 2006

How to share a scanner on your network

Author: Manolis Tzanidakis

After hours of research and tweaking, all your computers are connected to each other and the Internet, and you can print your documents on a printer connected to another system -- but you still must take a break when someone else wants to use the scanner connected to your system. Save the money additional scanners would cost by sharing your scanner on your LAN.

Start with SANE (Scanning Access Now Easy), the scanning suite for Linux and other Unix-like systems. Check the project's list of supported devices. If your scanner is listed, most of the job is already done.

SANE consists of two packages, sane-backends and sane-frontends. The backends package includes scanner drivers and command-line interface (CLI) utilities for using the scanner. You'll want to install this package on both the server and the clients. The frontends package contains graphical and CLI-based front ends for the scanning process. We won't use this package, because we can use one of the more advanced front ends for SANE; more on that later.

Begin by installing the sane-backends package. Packages and ports are available for most Linux and BSD distributions. In Debian and Ubuntu the package is called sane-utils; Slackware and Arch simply name it sane. If you prefer building from source, it's a trivial ./configure; make; make install process. Documentation is provided in the source tarball. When the installation is done, check that your scanner is detected by running scanimage -L as root. The output of this command should look something like the following:


device `plustek:libusb:001:003' is a Epson Perfection 1260/Photo USB flatbed scanner

While you could run saned, the scanning daemon, as root, it's better to run it as a less privileged user, saned, instead, to improve security. If the saned user is not added by the package of your distribution, add it manually with the command:


if ! id saned; then groupadd saned; useradd -g saned -G scanner -s /bin/false -d /dev/null saned; fi

Add your non-root user to the scanner group with the command usermod -a -G username scanner.

If your Linux distribution uses UDEV for device node management -- as most modern distributions do -- you should reboot to ensure that the new udev rules for SANE are loaded and that you're able to scan as a non-root user. To verify that your system uses UDEV, check for the presence of the directory /dev/.udev and see whether the udevd process is running with the command ps aux | grep udevd. You can avoid rebooting and manually restart the udev daemon, but that's not very easy, so it's better to reboot. If your distribution uses static device nodes, take a look at SANE's README.linux file for more information on how to manually fix permissions and allow non-root users to access the scanner. Just to be sure that users other than root can access the scanner, run scanimage -L as the non-root user you previously added to the scanner group after you reboot; the output should be the same as before.

Now it's time to configure the saned daemon. Add the hostnames or IP addresses of the hosts you want to have access to the scanner to the file /etc/sane.d/saned.conf. If you want to provide access to all the computers on your network, just add your IP subnet -- for example, if your IP address is 192.168.1.1, your subnet is probably 192.168.1.0/24.

Check that a sane-port line exists in /etc/services, or add the following line if it's not:


sane-port 6566/tcp # SANE network scanner daemon

Saned does not run as a standalone daemon and thus needs inetd (or xinetd) to work. Add the following line in your /etc/inetd.conf:


sane-port stream tcp nowait saned.saned /usr/sbin/saned saned

Now ask inetd to reload that file with the command kill -HUP `cat /var/run/inetd.pid` or your distribution's init script. The saned man page includes instructions on how to use xinetd instead of inetd or tcp_wrappers for more advanced control of access to saned.

The server should now be ready -- time to configure the clients. Install the sane-backends (or sane-utils, or sane) package on the clients and add the hostname or IP address of the server in /etc/sane.d/net.conf. Running scanimage -L as root should return something like:


device `net:mars:plustek:libusb:001:003' is a Epson Perfection 1260/Photo USB flatbed scanner

(mars is the hostname of my scanner server.) Now add your non-root user to the scanner group, as before, and you're done.

From a security perspective this setup is wide open; anyone who can access the network could run denial-of-service attacks on your server or just start scans to drive you crazy. You should only share a scanner this way on a protected, firewalled local network.

There are lots of front ends for SANE for all major operating systems; have a look at the complete list in SANE's home page. I run XSane on my Linux and BSD desktops. If you use Windows on your clients I suggest using SaneTwain, since I've had the most successful results with it. I installed a scanner/printer server for a small business years ago and they still happily run SaneTwain on Windows 98 and XP clients without problems.

That's it, enjoy your new scanner server. You have one more reason to be proud of your home or small business network.