NAME
inetd,
inetd.conf —
internet “super-server”
SYNOPSIS
inetd |
[-d]
[-l]
[configuration file] |
DESCRIPTION
inetd should be run at boot time by
/etc/rc
(see
rc(8)). It then opens sockets
according to its configuration and listens for connections. When a connection
is found on one of its sockets, it decides what service the socket corresponds
to, and invokes a program to service the request. After the program is
finished, it continues to listen on the socket (except in some cases which
will be described below). Essentially,
inetd allows running
one daemon to invoke several others, reducing load on the system.
The options available for
inetd:
-
-
- -d
- Turns on debugging.
-
-
- -l
- Turns on libwrap connection logging.
Upon execution,
inetd reads its configuration information from
a configuration file which, by default, is
/etc/inetd.conf.
The path given for this configuration file must be absolute, unless the
-d option is also given on the command line. There must be
an entry for each field of the configuration file, with entries for each field
separated by a tab or a space. Comments are denoted by a ``#'' at the
beginning of a line. There must be an entry for each field (except for one
special case, described below). The fields of the configuration file are as
follows:
[addr:]service-name
socket-type[:accept_filter]
protocol[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
To specify an
Sun-RPC based service, the entry would contain
these fields:
service-name/version
socket-type
rpc/protocol[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
To specify a UNIX-domain (local) socket, the entry would contain these fields:
path
socket-type
unix[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
For Internet services, the first field of the line may also have a host address
specifier prefixed to it, separated from the service name by a colon. If this
is done, the string before the colon in the first field indicates what local
address
inetd should use when listening for that service, or
the single character “*” to indicate
INADDR_ANY
, meaning ‘all local addresses’.
To avoid repeating an address that occurs frequently, a line with a host
address specifier and colon, but no further fields, causes the host address
specifier to be remembered and used for all further lines with no explicit
host specifier (until another such line or the end of the file). A line
*:
is implicitly provided at the top of the file; thus, traditional configuration
files (which have no host address specifiers) will be interpreted in the
traditional manner, with all services listened for on all local addresses.
The
service-name entry is the name of a valid service in the
file
/etc/services. For “internal” services
(discussed below), the service name
must be the official
name of the service (that is, the first entry in
/etc/services). When used to specify a
Sun-RPC based service, this field is a valid RPC service
name in the file
/etc/rpc. The part on the right of the
“/” is the RPC version number. This can simply be a single numeric
argument or a range of versions. A range is bounded by the low version to the
high version - “rusers/1-3”.
The
socket-type should be one of “stream”,
“dgram”, “raw”, “rdm”, or
“seqpacket”, depending on whether the socket is a stream,
datagram, raw, reliably delivered message, or sequenced packet socket.
Optionally, an
accept_filter(9) can be
specified by appending a colon to the socket-type, followed by the name of the
desired accept filter. In this case
inetd will not see new
connections for the specified service until the accept filter decides they are
ready to be handled.
The
protocol must be a valid protocol as given in
/etc/protocols or the string “unix”. Examples
might be “tcp” and “udp”. Rpc based services are
specified with the “rpc/tcp” or “rpc/udp” service
type. “tcp” and “udp” will be recognized as “TCP
or UDP over default IP version”. It is currently IPv4, but in the future
it will be IPv6. If you need to specify IPv4 or IPv6 explicitly, use something
like “tcp4” or “udp6”. If you would like to enable
special support for
faithd(8),
prepend a keyword “faith” into
protocol, like
“faith/tcp6”.
In addition to the protocol, the configuration file may specify the send and
receive socket buffer sizes for the listening socket. This is especially
useful for TCP as the window scale factor, which is based on the receive
socket buffer size, is advertised when the connection handshake occurs, thus
the socket buffer size for the server must be set on the listen socket. By
increasing the socket buffer sizes, better TCP performance may be realized in
some situations. The socket buffer sizes are specified by appending their
values to the protocol specification as follows:
tcp,rcvbuf=16384
tcp,sndbuf=64k
tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified, or modified using ‘k’ to indicate
kilobytes or ‘m’ to indicate megabytes. Socket buffer sizes may be
specified for all services and protocols except for tcpmux services.
The
wait/nowait entry is used to tell
inetd
if it should wait for the server program to return, or continue processing
connections on the socket. If a datagram server connects to its peer, freeing
the socket so
inetd can receive further messages on the
socket, it is said to be a “multi-threaded” server, and should use
the “nowait” entry. For datagram servers which process all
incoming datagrams on a socket and eventually time out, the server is said to
be “single-threaded” and should use a “wait” entry.
comsat(8)
(
biff(1)) and
ntalkd(8) are both examples of
the latter type of datagram server.
tftpd(8) is an exception; it is a
datagram server that establishes pseudo-connections. It must be listed as
“wait” in order to avoid a race; the server reads the first
packet, creates a new socket, and then forks and exits to allow
inetd to check for new service requests to spawn new
servers. The optional “max” suffix (separated from
“wait” or “nowait” by a dot or a colon) specifies the
maximum number of server instances that may be spawned from
inetd within an interval of 60 seconds. When omitted,
“max” defaults to 40. If it reaches this maximum spawn rate,
inetd will log the problem (via the syslogger using the
LOG_DAEMON
facility and
LOG_ERR
level) and stop handling the specific service
for ten minutes.
Stream servers are usually marked as “nowait” but if a single server
process is to handle multiple connections, it may be marked as
“wait”. The master socket will then be passed as fd 0 to the
server, which will then need to accept the incoming connection. The server
should eventually time out and exit when no more connections are active.
inetd will continue to listen on the master socket for
connections, so the server should not close it when it exits.
identd(8) is usually the only
stream server marked as wait.
The
user entry should contain the user name of the user as
whom the server should run. This allows for servers to be given less
permission than root. Optionally, a group can be specified by appending a
colon to the user name, followed by the group name (it is possible to use a
dot (``.'') in lieu of a colon, however this feature is provided only for
backward compatibility). This allows for servers to run with a different
(primary) group id than specified in the password file. If a group is
specified and
user is not root, the supplementary groups
associated with that user will still be set.
The
server-program entry should contain the pathname of the
program which is to be executed by
inetd when a request is
found on its socket. If
inetd provides this service
internally, this entry should be “internal”.
The
server program arguments should be just as arguments
normally are, starting with argv[0], which is the name of the program. If the
service is provided internally, the word “internal” should take
the place of this entry. It is possible to quote an argument using either
single or double quotes. This allows you to have, e.g., spaces in paths and
parameters.
Internal Services
inetd provides several “trivial” services
internally by use of routines within itself. These services are
“echo”, “discard”, “chargen” (character
generator), “daytime” (human readable time), and
“time” (machine readable time, in the form of the number of
seconds since midnight, January 1, 1900 GMT). For details of these services,
consult the appropriate RFC.
TCP services without official port numbers can be handled with the RFC1078-based
tcpmux internal service. TCPmux listens on port 1 for requests. When a
connection is made from a foreign host, the service name requested is passed
to TCPmux, which performs a lookup in the service name table provided by
/etc/inetd.conf and returns the proper entry for the
service. TCPmux returns a negative reply if the service doesn't exist,
otherwise the invoked server is expected to return the positive reply if the
service type in
/etc/inetd.conf file has the prefix
“tcpmux/”. If the service type has the prefix
“tcpmux/+”, TCPmux will return the positive reply for the process;
this is for compatibility with older server code, and also allows you to
invoke programs that use stdin/stdout without putting any special server code
in them. Services that use TCPmux are “nowait” because they do not
have a well-known port number and hence cannot listen for new requests.
inetd rereads its configuration file when it receives a hangup
signal,
SIGHUP
. Services may be added, deleted or
modified when the configuration file is reread.
inetd
creates a file
/var/run/inetd.pid that contains its process
identifier.
libwrap
Support for TCP wrappers is included with
inetd to provide
internal tcpd-like access control functionality. An external tcpd program is
not needed. You do not need to change the
/etc/inetd.conf
server-program entry to enable this capability.
inetd uses
/etc/hosts.allow and
/etc/hosts.deny for
access control facility configurations, as described in
hosts_access(5).
Nota Bene: TCP wrappers do not affect/restrict UDP or internal
services.
IPsec
The implementation includes a tiny hack to support IPsec policy settings for
each socket. A special form of the comment line, starting with
“
#@
”, is used as a policy specifier. The
content of the above comment line will be treated as a IPsec policy string, as
described in
ipsec_set_policy(3).
Multiple IPsec policy strings may be specified by using a semicolon as a
separator. If conflicting policy strings are found in a single line, the last
string will take effect. A
#@
line affects all of the
following lines in
/etc/inetd.conf, so you may want to reset
the IPsec policy by using a comment line containing only
#@
(with no policy string).
If an invalid IPsec policy string appears in
/etc/inetd.conf,
inetd logs an error message using
syslog(3) and terminates itself.
IPv6 TCP/UDP behavior
If you wish to run a server for both IPv4 and IPv6 traffic, you will need to run
two separate processes for the same server program, specified as two separate
lines in
/etc/inetd.conf using “tcp4” and
“tcp6” respectively. Plain “tcp” means TCP on top of
the current default IP version, which is, at this moment, IPv4.
Under various combination of IPv4/v6 daemon settings,
inetd
will behave as follows:
- If you have only one server
on “tcp4”, IPv4 traffic will be routed to the server. IPv6
traffic will not be accepted.
- If you have two servers on
“tcp4” and “tcp6”, IPv4 traffic will be routed to
the server on “tcp4”, and IPv6 traffic will go to server on
“tcp6”.
- If you have only one server
on “tcp6”, only IPv6 traffic will be routed to the server. The
kernel may route to the server IPv4 traffic as well, under certain
configuration. See ip6(4) for
details.
FILES
- /etc/inetd.conf
- configuration file for all inetd provided
services
- /etc/services
- service name to protocol and port number mappings.
- /etc/protocols
- protocol name to protocol number mappings
- /etc/rpc
- Sun-RPC service name to service number mappings.
- /etc/hosts.allow
- explicit remote host access list.
- /etc/hosts.deny
- explicit remote host denial of service list.
SEE ALSO
hosts_access(5),
hosts_options(5),
protocols(5),
rpc(5),
services(5),
comsat(8),
fingerd(8),
ftpd(8),
rexecd(8),
rlogind(8),
rshd(8),
telnetd(8),
tftpd(8)
J. Postel, Echo
Protocol, RFC, 862,
May 1983.
J. Postel, Discard
Protocol, RFC, 863,
May 1983.
J. Postel, Character
Generator Protocol, RFC,
864, May 1983.
J. Postel, Daytime
Protocol, RFC, 867,
May 1983.
J. Postel and K.
Harrenstien, Time Protocol,
RFC, 868,
May 1983.
M. Lottor, TCP port
service Multiplexer (TCPMUX), RFC,
1078, November 1988.
HISTORY
The
inetd command appeared in
4.3BSD.
Support for
Sun-RPC based services is modeled after that
provided by SunOS 4.1. Support for specifying the socket buffer sizes was
added in
NetBSD 1.4. In November 1996, libwrap support
was added to provide internal tcpd-like access control functionality; libwrap
is based on Wietse Venema's tcp_wrappers. IPv6 support and IPsec hack was made
by KAME project, in 1999.
BUGS
Host address specifiers, while they make conceptual sense for RPC services, do
not work entirely correctly. This is largely because the portmapper interface
does not provide a way to register different ports for the same service on
different local addresses. Provided you never have more than one entry for a
given RPC service, everything should work correctly (Note that default host
address specifiers do apply to RPC lines with no explicit specifier.)
“tcpmux” on IPv6 is not tested enough.
SECURITY CONSIDERATIONS
Enabling the “echo”, “discard”, and
“chargen” built-in trivial services is not recommended because
remote users may abuse these to cause a denial of network service to or from
the local host.