Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: restrict access to LAN only #110

Open
ValdikSS opened this issue Sep 28, 2023 · 12 comments
Open

Feature: restrict access to LAN only #110

ValdikSS opened this issue Sep 28, 2023 · 12 comments

Comments

@ValdikSS
Copy link

ValdikSS commented Sep 28, 2023
edited
Loading

First of all, thanks for such a beautiful software! I've converted my Samsung MFP from 2005 into a driverless networked printer+scanner, and it works perfectly fine!

Current AirSane version does not support IP-level access control, which may be a security issue due to rather widespread IPv6 connectivity with 'real' addresses. CUPS has 'allow LAN access only' convenient checkbox, it would be great to have the same functionality in AirSane without nginx/other web front-end.

It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask.
Thanks.
@ValdikSS
Copy link
Author

Publicly accessible installations found with Censys (all without scanners connected):
http://24.200.4.50:8090/
http://5.38.245.134:8090/

Screenshot_20230929_170831-fs8

@SimulPiscator
Copy link
Owner

Thanks for the information!
I will implement the suggested feature soon.

@SimulPiscator
Copy link
Owner

I've now pushed a version (b3fc1e9) that implements an access list which can be used to restrict access to certain IPs, and IP ranges.

@ValdikSS
Copy link
Author

ValdikSS commented Oct 8, 2023
edited
Loading

Thanks, that looks good.

However more and more ISPs are starting to serve IPv6, the address in which are globally routed on each device. That means there's no easy way to fill the IPv6 range in a static text file, it would require modification for every ISP IPv6 range, and the default installations would most probably reject LAN access over IPv6 in this case, which is not perfect.
IPv6 has higher priority than IPv4 and not all software implement Happy Eyeballs fallback algorithm. For such software inability to connect over IPv6 would be permanent failure.

That's why I wrote:

It should be implemented by enumerating IP addresses on the interfaces and allowing access by the network segment and its mask.

In the meaning that the daemon should enumerate IP addresses which are currently assigned to the interface and create access list based on it.

@SimulPiscator
Copy link
Owner

I think I understand your problem but I don't see how I could solve it by enumerating network IPs and masks. If the IP is public, wouldn't the mask allow public access as well? I have to admit I'm not familiar with how IPv6 works.

@ValdikSS
Copy link
Author

ValdikSS commented Oct 8, 2023

Let's say I have 2a03:2880:f10a:83:face:b00c:0:25de/64 address on my eth0 network interface.
This is 2a03:2880:f10a:83:face:b00c:0:25de address with 64 CIDR (ffff:ffff:ffff:ffff:: netmask), the range is 2a03:2880:f10a:83:: - 2a03:2880:f10a:83:ffff:ffff:ffff:ffff.

2a03:2880:f10a:83::/64 should be considered local network in this case.

Just as if the server have 8.8.8.8/24 IPv4 address, 8.8.8.0 - 8.8.8.255 network is considered local.

@SimulPiscator
Copy link
Owner

It's done, thank you for your input!

@ValdikSS
Copy link
Author

Great, thanks!

@ValdikSS
Copy link
Author

ValdikSS commented Nov 4, 2023

Unfortunately, the current implementation seem to be buggy.
Check this log right after the start (don't look at the date/time, it's been synced during the run):

Sep 20 15:15:22 uowprint.local systemd[1]: Started airsaned.service - AirSane Imaging Service.
Sep 20 15:15:23 uowprint.local airsaned[370]: git commit: a908079 (branch HEAD, rev 280+)
Sep 20 15:15:23 uowprint.local airsaned[370]: build date: 2023-11-04T13:28:27Z
Sep 20 15:15:23 uowprint.local airsaned[370]: reading access rules from file /etc/airsane/access.conf
Sep 20 15:15:23 uowprint.local airsaned[370]: start time is 11.14
Sep 20 15:15:23 uowprint.local airsaned[370]: reading device options from '/etc/airsane/options.conf'
Sep 20 15:15:23 uowprint.local airsaned[370]: enumerating  devices...
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:23 uowprint.local airsaned[370]: sane_get_devices() ...
Sep 20 15:15:40 uowprint.local airsaned[370]: ... sane_get_devices() -> SANE_Status Success
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: found: xerox_mfp:libusb:001:002 (SAMSUNG ORION)
Sep 20 15:15:40 uowprint.local airsaned[370]: stable unique name: xerox_mfp:SAMSUNG ORION:1
Sep 20 15:15:40 uowprint.local airsaned[370]: uuid: fbfdccc8-39cd-5da1-936b-00713655d959
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_init(nullptr, nullptr)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_open(xerox_mfp:libusb:001:002) -> 0xb45a3e90
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "Flatbed"
Sep 20 15:15:40 uowprint.local airsaned[370]: [source] := "ADF"
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_close(0xb45a3e90)
Sep 20 15:15:40 uowprint.local airsaned[370]: sane_exit()
Sep 20 15:15:40 uowprint.local airsaned[370]: published as 'SAMSUNG ORION'
Sep 20 15:15:40 uowprint.local airsaned[370]: end time is 28.74
Sep 20 15:15:40 uowprint.local airsaned[370]: startup took 17.60 secconds
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 127.0.0.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.54.1:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on 192.168.69.138:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [::1]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [2a05:a403:1:c003:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fd83:bd69:5c05:0:208:22ff:fe0b:a7fe]:8090
Sep 20 15:15:40 uowprint.local airsaned[370]: listening on [fe80::208:22ff:fe0b:a7fe]:8090
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying 192.168.69.109: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched
Nov 04 19:37:31 uowprint.local airsaned[370]: denying [fd83:bd69:5c05:0:e03e:b8fd:b263:20ae]: no rules matched

systemctl reload airsaned usually fixes the issue. No problem with static ranges in access.conf. I assume there's a race condition somewhere.

@ValdikSS ValdikSS reopened this Nov 4, 2023
@ValdikSS
Copy link
Author

ValdikSS commented Nov 4, 2023

Another issue, although not directly related to this feature, is that AirSane does not support network interface modification events.
If AirSane is started first, and after that connection to Wi-Fi have been made, the Wi-Fi interface won't be listened on by AirSane with --interface=*. This is also fixed with systemctl reload airsaned.

@SimulPiscator
Copy link
Owner

That's a great suggestion, I'll see what I can come up with.

SimulPiscator pushed a commit that referenced this issue Nov 4, 2023
Trying to address #110
16bcd3c
@SimulPiscator
Copy link
Owner

I tried to address the above issue by adding a mutex. I didn't see much opportunity for a concurrency issue, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ValdikSS @SimulPiscator