[sane-devel] Security concern about API sane_control_option()

[simon.zheng]

Hi,

I'm a new commer for SANE & XSane. Here are some
security questions when studying API sane_control_option().
I would appreciate if anyone can give help.

Is there any possibility sane_control_option() allows
you to get or set any control that would allow one
user to affect another user. For example:

- User A logs in, sets a control that disables the scanner.
User A logs out and user B logs in. He can't access the
scanner, and does not know why. This is a Denial-Of-Service.

- User A logs in, uses the scanner, logs out. User B
logs in, and uses a control to access information about what user
A scanned - perhaps even the image files from a buffer.

Aside from sane_control_option(), are there any other
exposed interfaces that would allow one user to affect
another user if they have full access to the device
via SANE API?

Thanks,
-Simon