NAME
inetd, inetd.conf
— internet
“super-server”
SYNOPSIS
inetd |
[-d] [-l]
[configuration file] |
DESCRIPTION
inetd should be run at boot time by
/etc/rc (see
rc(8)).
It then opens sockets according to its configuration and listens for
connections. When a connection is found on one of its sockets, it decides what
service the socket corresponds to, and invokes a program to service the
request. After the program is finished, it continues to listen on the socket
(except in some cases which will be described below). Essentially,
inetd allows running one daemon to invoke several
others, reducing load on the system.
The options available for inetd:
-d- Turns on debugging.
-l- Turns on libwrap connection logging.
Upon execution, inetd reads its
configuration information from a configuration file which, by default, is
/etc/inetd.conf. The path given for this
configuration file must be absolute, unless the -d
option is also given on the command line. There must be an entry for each
field of the configuration file, with entries for each field separated by a
tab or a space. Comments are denoted by a ``#'' at the beginning of a line.
There must be an entry for each field (except for one special case,
described below). The fields of the configuration file are as follows:
[listen-addr:]service-spec socket-type[:accept-filter] protocol[,sndbuf=size][,rcvbuf=size] wait/nowait[:max] user[:group] server-program server program arguments
The listen-addr specifies the local address
inetd should use when listening. The single
character “*” means INADDR_ANY: all
local addresses. To avoid the need to repeat listen addresses over and over
again, listen addresses are inherited from line to line, and the listen
address can be changed without defining a service by including a line
containing just a listen-addr followed by a colon. The
default (compatible with historical configuration files) is *. To return to
this behavior after configuring some services with specific listen
addresses, give * explicitly.
Note that restricted listen addresses are meaningless and ignored for UNIX-domain services, and are not supported for Sun-RPC services. All Sun-RPC services always listen on all interfaces.
The form of the service-spec varies with the service type. For Internet services, the service-spec can be either the name of a service from /etc/services or a decimal port number. For “internal” services (discussed below), the service name must be the official name of the service (that is, the first entry in /etc/services) and not an alias for it.
For Sun-RPC based services,
the service-spec has the form
service-name/version.
The service name must be a valid RPC service name from the file
/etc/rpc. The version on the right
of the “/” is the RPC version number. This can simply be a
single numeric argument or a range of versions. A range is bounded by the
low version to the high version - e.g. “rusers/1-3”.
For UNIX-domain (local) services, the service-spec is the path name to listen on.
The socket-type should be one of “stream”, “dgram”, “raw”, “rdm”, or “seqpacket”, depending on whether the socket is a stream, datagram, raw, reliably delivered message, or sequenced packet socket.
Optionally, for Internet services, an accept filter (see
accept_filter(9)) can be specified by appending a colon to
socket-type, followed by the name of the desired accept
filter. In this case inetd will not see new
connections for the specified service until the accept filter decides they
are ready to be handled.
The protocol must be a valid protocol as given in /etc/protocols or (for UNIX-domain services) the string “unix”. The most common are “tcp” and “udp”. For TCP and UDP, the IP version (4 or 6) may be specified explicitly by appending 4 or 6 to the protocol name. Otherwise the default version (IPv4) is used. For Sun-RPC the string “rpc” and a slash should be prepended: “rpc/tcp” or “rpc/udp”. If you would like to enable special support for faithd(8), prepend the string “faith” and a slash: “faith/tcp6”.
In addition to the protocol, the configuration file may specify the send and receive socket buffer sizes for the listening socket. This is especially useful for TCP: the window scale factor, which is based on the receive socket buffer size, is advertised when the connection handshake occurs and thus the socket buffer size must be set on the listen socket. By increasing the socket buffer sizes, better TCP performance may be realized in some situations. The socket buffer sizes are specified by appending their values to the protocol specification as follows:
tcp,rcvbuf=16384 tcp,sndbuf=64k tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified, or modified using ‘k’ to indicate kilobytes or ‘m’ to indicate megabytes. Socket buffer sizes may be specified for all services and protocols except for tcpmux services.
The
wait/nowait
entry is used to tell inetd if it should wait for
the server program to return, or continue processing connections on the
socket. If a datagram server connects to its peer, freeing the socket so
inetd can receive further messages on the socket, it
is said to be a “multi-threaded” server, and should use the
“nowait” entry. For datagram servers which process all
incoming datagrams on a socket and eventually time out, the server is said
to be “single-threaded” and should use a “wait”
entry. comsat(8) (biff(1)) and
ntalkd(8) are both examples of the latter type of datagram server.
tftpd(8) is an exception; it is a datagram server that establishes
pseudo-connections. It must be listed as “wait” in order to
avoid a race; the server reads the first packet, creates a new socket, and
then forks and exits to allow inetd to check for new
service requests to spawn new servers. The optional “max”
suffix (separated from “wait” or “nowait” by a
dot or a colon) specifies the maximum number of server instances that may be
spawned from inetd within an interval of 60 seconds.
When omitted, “max” defaults to 40. If it reaches this maximum
spawn rate, inetd will log the problem (via the
syslogger using the LOG_DAEMON facility and
LOG_ERR level) and stop handling the specific
service for ten minutes.
Stream servers are usually marked as “nowait” but if
a single server process is to handle multiple connections, it may be marked
as “wait”. The master socket will then be passed as fd 0 to
the server, which will then need to accept the incoming connection. The
server should eventually time out and exit when no more connections are
active. inetd will continue to listen on the master
socket for connections, so the server should not close it when it exits.
identd(8) is usually the only stream server marked as wait.
The user entry should contain the user name of the user as whom the server should run. This allows for servers to be given less permission than root. Optionally, a group can be specified by appending a colon to the user name, followed by the group name (it is possible to use a dot (``.'') in lieu of a colon, however this feature is provided only for backward compatibility). This allows for servers to run with a different (primary) group id than specified in the password file. If a group is specified and user is not root, the supplementary groups associated with that user will still be set.
The
server-program
entry should contain the pathname of the program which is to be executed by
inetd when a request is found on its socket. If
inetd provides this service internally, this entry
should be “internal”.
The server program arguments should be just as arguments normally are, starting with argv[0], which is the name of the program. If the service is provided internally, the word “internal” should take the place of this entry. It is possible to quote an argument using either single or double quotes. This allows you to have, e.g., spaces in paths and parameters.
Internal Services
inetd provides several "trivial"
services internally by use of routines within itself. These services are
"echo", "discard", "chargen" (character
generator), "daytime" (human readable time), and "time"
(machine readable time, in the form of the number of seconds since midnight,
January 1, 1900 GMT). For details of these services, consult the appropriate
RFC.
TCP services without official port numbers can be handled with the RFC1078-based tcpmux internal service. TCPmux listens on port 1 for requests. When a connection is made from a foreign host, the service name requested is passed to TCPmux, which performs a lookup in the service name table provided by /etc/inetd.conf and returns the proper entry for the service. TCPmux returns a negative reply if the service doesn't exist, otherwise the invoked server is expected to return the positive reply if the service type in /etc/inetd.conf file has the prefix "tcpmux/". If the service type has the prefix "tcpmux/+", TCPmux will return the positive reply for the process; this is for compatibility with older server code, and also allows you to invoke programs that use stdin/stdout without putting any special server code in them. Services that use TCPmux are "nowait" because they do not have a well-known port number and hence cannot listen for new requests.
inetd rereads its
configuration file when it receives a hangup signal,
SIGHUP. Services may be added, deleted or modified
when the configuration file is reread. inetd creates
a file
/var/run/inetd.pid
that contains its process identifier.
libwrap
Support for TCP wrappers is included with
inetd to provide internal tcpd-like access control
functionality. An external tcpd program is not needed. You do not need to
change the /etc/inetd.conf server-program entry to
enable this capability. inetd uses
/etc/hosts.allow and
/etc/hosts.deny for access control facility
configurations, as described in
hosts_access(5).
Nota Bene: TCP wrappers do not affect/restrict UDP or internal services.
IPsec
The implementation includes a tiny hack to support IPsec policy
settings for each socket. A special form of the comment line, starting with
“#@”, is used as a policy specifier.
The content of the above comment line will be treated as a IPsec policy
string, as described in
ipsec_set_policy(3). Multiple IPsec policy strings may be
specified by using a semicolon as a separator. If conflicting policy strings
are found in a single line, the last string will take effect. A
#@ line affects all of the following lines in
/etc/inetd.conf, so you may want to reset the IPsec
policy by using a comment line containing only #@
(with no policy string).
If an invalid IPsec policy string appears in
/etc/inetd.conf, inetd logs
an error message using
syslog(3) and terminates itself.
IPv6 TCP/UDP behavior
If you wish to run a server for both IPv4 and IPv6 traffic, you will need to run two separate processes for the same server program, specified as two separate lines in /etc/inetd.conf using “tcp4” and “tcp6” respectively. Plain “tcp” means TCP on top of the current default IP version, which is, at this moment, IPv4.
Under various combination of IPv4/v6 daemon settings,
inetd will behave as follows:
- If you have only one server on “tcp4”, IPv4 traffic will be routed to the server. IPv6 traffic will not be accepted.
- If you have two servers on “tcp4” and “tcp6”, IPv4 traffic will be routed to the server on “tcp4”, and IPv6 traffic will go to server on “tcp6”.
- If you have only one server on “tcp6”, only IPv6 traffic will be routed to the server. The kernel may route to the server IPv4 traffic as well, under certain configuration. See ip6(4) for details.
FILES
- /etc/inetd.conf
- configuration file for all
inetdprovided services - /etc/services
- service name to protocol and port number mappings.
- /etc/protocols
- protocol name to protocol number mappings
- /etc/rpc
- Sun-RPC service name to service number mappings.
- /etc/hosts.allow
- explicit remote host access list.
- /etc/hosts.deny
- explicit remote host denial of service list.
SEE ALSO
hosts_access(5), hosts_options(5), protocols(5), rpc(5), services(5), comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8), telnetd(8), tftpd(8)
J. Postel, Echo Protocol, RFC, 862, May 1983.
J. Postel, Discard Protocol, RFC, 863, May 1983.
J. Postel, Character Generator Protocol, RFC, 864, May 1983.
J. Postel, Daytime Protocol, RFC, 867, May 1983.
J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.
M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November 1988.
HISTORY
The inetd command appeared in
4.3BSD. Support for Sun-RPC based
services is modeled after that provided by SunOS 4.1. Support for specifying
the socket buffer sizes was added in NetBSD 1.4. In
November 1996, libwrap support was added to provide internal tcpd-like
access control functionality; libwrap is based on Wietse Venema's
tcp_wrappers. IPv6 support and IPsec hack was made by KAME project, in
1999.
BUGS
Host address specifiers, while they make conceptual sense for RPC services, do not work entirely correctly. This is largely because the portmapper interface does not provide a way to register different ports for the same service on different local addresses. Provided you never have more than one entry for a given RPC service, everything should work correctly (Note that default host address specifiers do apply to RPC lines with no explicit specifier.)
“tcpmux” on IPv6 is not tested enough.
SECURITY CONSIDERATIONS
Enabling the “echo”, “discard”, and “chargen” built-in trivial services is not recommended because remote users may abuse these to cause a denial of network service to or from the local host.