[sane-devel] Security concern about API sane_control_option()
simon.zheng
Simon.Zheng at Sun.COM
Fri Feb 9 15:50:26 CET 2007
Olaf Meeuwissen wrote:
> "simon.zheng" <Simon.Zheng at Sun.COM> writes:
>
>
>> I'm a new commer for SANE & XSane. Here are some
>> security questions when studying API sane_control_option().
>> I would appreciate if anyone can give help.
>>
>> Is there any possibility sane_control_option() allows
>> you to get or set any control that would allow one
>> user to affect another user. For example:
>>
>
> sane_control_option() is there so that frontends can tell the backends
> what the user wants to do. It's a very abstract interface and exactly
> what options are available is left to the discretion of each backend.
>
>
I find a spec on SANE Standard 2 draft,
http://www.sane-project.org/sane2/0.08/doc014.html, which documents
well-known options.How about those backend-specific options? Where are
they documented? Manpage?
> So any security implications are not a result of sane_control_option()
> but of the set of options a particular backend chooses to provide.
>
Right.
>
>> [snip]
>>
>
> Hope this helps,
>
More information about the sane-devel
mailing list