1.\" $NetBSD: inetd.8,v 1.50 2008/08/28 21:39:08 wiz Exp $ 2.\" 3.\" Copyright (c) 1998 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8.\" NASA Ames Research Center. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.\" Copyright (c) 1985, 1991 The Regents of the University of California. 32.\" All rights reserved. 33.\" 34.\" Redistribution and use in source and binary forms, with or without 35.\" modification, are permitted provided that the following conditions 36.\" are met: 37.\" 1. Redistributions of source code must retain the above copyright 38.\" notice, this list of conditions and the following disclaimer. 39.\" 2. Redistributions in binary form must reproduce the above copyright 40.\" notice, this list of conditions and the following disclaimer in the 41.\" documentation and/or other materials provided with the distribution. 42.\" 3. Neither the name of the University nor the names of its contributors 43.\" may be used to endorse or promote products derived from this software 44.\" without specific prior written permission. 45.\" 46.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 47.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 50.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56.\" SUCH DAMAGE. 57.\" 58.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94 59.\" 60.Dd August 27, 2008 61.Dt INETD 8 62.Os 63.Sh NAME 64.Nm inetd , 65.Nm inetd.conf 66.Nd internet 67.Dq super-server 68.Sh SYNOPSIS 69.Nm 70.Op Fl d 71.Op Fl l 72.Op Ar configuration file 73.Sh DESCRIPTION 74.Nm 75should be run at boot time by 76.Pa /etc/rc 77(see 78.Xr rc 8 ) . 79It then opens sockets according to its configuration and listens 80for connections. 81When a connection is found on one of its sockets, it decides what 82service the socket corresponds to, and invokes a program to service 83the request. 84After the program is finished, it continues to listen on the socket 85(except in some cases which will be described below). 86Essentially, 87.Nm 88allows running one daemon to invoke several others, 89reducing load on the system. 90.Pp 91The options available for 92.Nm : 93.Bl -tag -width Ds 94.It Fl d 95Turns on debugging. 96.It Fl l 97Turns on libwrap connection logging. 98.El 99.Pp 100Upon execution, 101.Nm 102reads its configuration information from a configuration 103file which, by default, is 104.Pa /etc/inetd.conf . 105The path given for this configuration file must be absolute, unless 106the 107.Fl d 108option is also given on the command line. 109There must be an entry for each field of the configuration 110file, with entries for each field separated by a tab or 111a space. 112Comments are denoted by a ``#'' at the beginning of a line. 113There must be an entry for each field (except for one 114special case, described below). 115The fields of the configuration file are as follows: 116.Pp 117.Bd -unfilled -offset indent -compact 118[addr:]service-name 119socket-type[:accept_filter] 120protocol[,sndbuf=size][,rcvbuf=size] 121wait/nowait[:max] 122user[:group] 123server-program 124server program arguments 125.Ed 126.Pp 127To specify an 128.Em Sun-RPC 129based service, the entry would contain these fields: 130.Pp 131.Bd -unfilled -offset indent -compact 132service-name/version 133socket-type 134rpc/protocol[,sndbuf=size][,rcvbuf=size] 135wait/nowait[:max] 136user[:group] 137server-program 138server program arguments 139.Ed 140.Pp 141To specify a UNIX-domain (local) socket, the entry would contain 142these fields: 143.Pp 144.Bd -unfilled -offset indent -compact 145path 146socket-type 147unix[,sndbuf=size][,rcvbuf=size] 148wait/nowait[:max] 149user[:group] 150server-program 151server program arguments 152.Ed 153.Pp 154For Internet services, the first field of the line may also have a host 155address specifier prefixed to it, separated from the service name by a colon. 156If this is done, the string before the colon in the first field 157indicates what local address 158.Nm 159should use when listening for that service, or the single character 160.Dq \&* 161to indicate 162.Dv INADDR_ANY , 163meaning 164.Sq all local addresses . 165To avoid repeating an address that occurs frequently, a line with a 166host address specifier and colon, but no further fields, causes the 167host address specifier to be remembered and used for all further lines 168with no explicit host specifier (until another such line or the end of 169the file). 170A line 171.Dl *: 172is implicitly provided at the top of the file; thus, traditional 173configuration files (which have no host address specifiers) will be 174interpreted in the traditional manner, with all services listened for 175on all local addresses. 176.Pp 177The 178.Em service-name 179entry is the name of a valid service in 180the file 181.Pa /etc/services . 182For 183.Dq internal 184services (discussed below), the service 185name 186.Em must 187be the official name of the service (that is, the first entry in 188.Pa /etc/services ) . 189When used to specify a 190.Em Sun-RPC 191based service, this field is a valid RPC service name in 192the file 193.Pa /etc/rpc . 194The part on the right of the 195.Dq / 196is the RPC version number. 197This can simply be a single numeric argument or a range of versions. 198A range is bounded by the low version to the high version \- 199.Dq rusers/1-3 . 200.Pp 201The 202.Em socket-type 203should be one of 204.Dq stream , 205.Dq dgram , 206.Dq raw , 207.Dq rdm , 208or 209.Dq seqpacket , 210depending on whether the socket is a stream, datagram, raw, 211reliably delivered message, or sequenced packet socket. 212.Pp 213Optionally, an 214.Xr accept_filter 9 215can be specified by appending a colon to the socket-type, followed by 216the name of the desired accept filter. In this case 217.Nm 218will not see new connections for the specified service until the accept 219filter decides they are ready to be handled. 220.Pp 221The 222.Em protocol 223must be a valid protocol as given in 224.Pa /etc/protocols 225or the string 226.Dq unix . 227Examples might be 228.Dq tcp 229and 230.Dq udp . 231Rpc based services are specified with the 232.Dq rpc/tcp 233or 234.Dq rpc/udp 235service type. 236.Dq tcp 237and 238.Dq udp 239will be recognized as 240.Dq TCP or UDP over default IP version . 241It is currently IPv4, but in the future it will be IPv6. 242If you need to specify IPv4 or IPv6 explicitly, use something like 243.Dq tcp4 244or 245.Dq udp6 . 246If you would like to enable special support for 247.Xr faithd 8 , 248prepend a keyword 249.Dq faith 250into 251.Em protocol , 252like 253.Dq faith/tcp6 . 254.Pp 255In addition to the protocol, the configuration file may specify the 256send and receive socket buffer sizes for the listening socket. 257This is especially useful for 258.Tn TCP 259as the window scale factor, which is based on the receive socket 260buffer size, is advertised when the connection handshake occurs, 261thus the socket buffer size for the server must be set on the listen socket. 262By increasing the socket buffer sizes, better 263.Tn TCP 264performance may be realized in some situations. 265The socket buffer sizes are specified by appending their values to 266the protocol specification as follows: 267.Bd -literal -offset indent 268tcp,rcvbuf=16384 269tcp,sndbuf=64k 270tcp,rcvbuf=64k,sndbuf=1m 271.Ed 272.Pp 273A literal value may be specified, or modified using 274.Sq k 275to indicate kilobytes or 276.Sq m 277to indicate megabytes. 278Socket buffer sizes may be specified for all 279services and protocols except for tcpmux services. 280.Pp 281The 282.Em wait/nowait 283entry is used to tell 284.Nm 285if it should wait for the server program to return, 286or continue processing connections on the socket. 287If a datagram server connects 288to its peer, freeing the socket so 289.Nm 290can receive further messages on the socket, it is said to be 291a 292.Dq multi-threaded 293server, and should use the 294.Dq nowait 295entry. 296For datagram servers which process all incoming datagrams 297on a socket and eventually time out, the server is said to be 298.Dq single-threaded 299and should use a 300.Dq wait 301entry. 302.Xr comsat 8 303.Pq Xr biff 1 304and 305.Xr talkd 8 306are both examples of the latter type of 307datagram server. 308.Xr tftpd 8 309is an exception; it is a datagram server that establishes pseudo-connections. 310It must be listed as 311.Dq wait 312in order to avoid a race; 313the server reads the first packet, creates a new socket, 314and then forks and exits to allow 315.Nm 316to check for new service requests to spawn new servers. 317The optional 318.Dq max 319suffix (separated from 320.Dq wait 321or 322.Dq nowait 323by a dot or a colon) specifies the maximum number of server instances that may 324be spawned from 325.Nm 326within an interval of 60 seconds. 327When omitted, 328.Dq max 329defaults to 40. 330If it reaches this maximum spawn rate, 331.Nm 332will log the problem (via the syslogger using the LOG_DAEMON 333facility and LOG_ERR level) 334and stop handling the specific service for ten minutes. 335.Pp 336Stream servers are usually marked as 337.Dq nowait 338but if a single server process is to handle multiple connections, it may be 339marked as 340.Dq wait . 341The master socket will then be passed as fd 0 to the server, which will then 342need to accept the incoming connection. 343The server should eventually time 344out and exit when no more connections are active. 345.Nm 346will continue to 347listen on the master socket for connections, so the server should not close 348it when it exits. 349.Xr identd 8 350is usually the only stream server marked as wait. 351.Pp 352The 353.Em user 354entry should contain the user name of the user as whom the server should run. 355This allows for servers to be given less permission than root. 356Optionally, a group can be specified by appending a colon to the user name, 357followed by the group name (it is possible to use a dot (``.'') in lieu of a 358colon, however this feature is provided only for backward compatibility). 359This allows for servers to run with a different (primary) group id than 360specified in the password file. 361If a group is specified and 362.Em user 363is not root, the supplementary groups associated with that user will still be 364set. 365.Pp 366The 367.Em server-program 368entry should contain the pathname of the program which is to be 369executed by 370.Nm 371when a request is found on its socket. 372If 373.Nm 374provides this service internally, this entry should 375be 376.Dq internal . 377.Pp 378The 379.Em server program arguments 380should be just as arguments 381normally are, starting with argv[0], which is the name of 382the program. 383If the service is provided internally, the 384word 385.Dq internal 386should take the place of this entry. 387It is possible to quote an argument using either single or double quotes. 388This allows you to have, e.g., spaces in paths and parameters. 389.Ss Internal Services 390.Nm 391provides several 392.Qq trivial 393services internally by use of routines within itself. 394These services are 395.Qq echo , 396.Qq discard , 397.Qq chargen 398(character generator), 399.Qq daytime 400(human readable time), and 401.Qq time 402(machine readable time, 403in the form of the number of seconds since midnight, January 1, 1900 GMT). 404For details of these services, consult the appropriate 405.Tn RFC . 406.Pp 407TCP services without official port numbers can be handled with the 408RFC1078-based tcpmux internal service. 409TCPmux listens on port 1 for requests. 410When a connection is made from a foreign host, the service name 411requested is passed to TCPmux, which performs a lookup in the 412service name table provided by 413.Pa /etc/inetd.conf 414and returns the proper entry for the service. 415TCPmux returns a negative reply if the service doesn't exist, 416otherwise the invoked server is expected to return the positive 417reply if the service type in 418.Pa /etc/inetd.conf 419file has the prefix 420.Qq tcpmux/ . 421If the service type has the 422prefix 423.Qq tcpmux/+ , 424TCPmux will return the positive reply for the 425process; this is for compatibility with older server code, and also 426allows you to invoke programs that use stdin/stdout without putting any 427special server code in them. 428Services that use TCPmux are 429.Qq nowait 430because they do not have a well-known port number and hence cannot listen 431for new requests. 432.Pp 433.Nm 434rereads its configuration file when it receives a hangup signal, 435.Dv SIGHUP . 436Services may be added, deleted or modified when the configuration file 437is reread. 438.Nm 439creates a file 440.Em /var/run/inetd.pid 441that contains its process identifier. 442.Ss libwrap 443Support for 444.Tn TCP 445wrappers is included with 446.Nm 447to provide internal tcpd-like access control functionality. 448An external tcpd program is not needed. 449You do not need to change the 450.Pa /etc/inetd.conf 451server-program entry to enable this capability. 452.Nm 453uses 454.Pa /etc/hosts.allow 455and 456.Pa /etc/hosts.deny 457for access control facility configurations, as described in 458.Xr hosts_access 5 . 459.Pp 460.Em Nota Bene : 461.Tn TCP 462wrappers do not affect/restrict 463.Tn UDP 464or internal services. 465.Ss IPsec 466The implementation includes a tiny hack to support IPsec policy settings for 467each socket. 468A special form of the comment line, starting with 469.Dq Li "#@" , 470is used as a policy specifier. 471The content of the above comment line will be treated as a IPsec policy string, 472as described in 473.Xr ipsec_set_policy 3 . 474Multiple IPsec policy strings may be specified by using a semicolon 475as a separator. 476If conflicting policy strings are found in a single line, 477the last string will take effect. 478A 479.Li "#@" 480line affects all of the following lines in 481.Pa /etc/inetd.conf , 482so you may want to reset the IPsec policy by using a comment line containing 483only 484.Li "#@" 485.Pq with no policy string . 486.Pp 487If an invalid IPsec policy string appears in 488.Pa /etc/inetd.conf , 489.Nm 490logs an error message using 491.Xr syslog 3 492and terminates itself. 493.Ss IPv6 TCP/UDP behavior 494If you wish to run a server for IPv4 and IPv6 traffic, 495you'll need to run two separate process for the same server program, 496specified as two separate lines on 497.Pa /etc/inetd.conf , 498for 499.Dq tcp4 500and 501.Dq tcp6 . 502.Dq tcp 503means TCP on top of currently-default IP version, 504which is, at this moment, IPv4. 505.Pp 506Under various combination of IPv4/v6 daemon settings, 507.Nm 508will behave as follows: 509.Bl -bullet -compact 510.It 511If you have only one server on 512.Dq tcp4 , 513IPv4 traffic will be routed to the server. 514IPv6 traffic will not be accepted. 515.It 516If you have two servers on 517.Dq tcp4 518and 519.Dq tcp6 , 520IPv4 traffic will be routed to the server on 521.Dq tcp4 , 522and IPv6 traffic will go to server on 523.Dq tcp6 . 524.It 525If you have only one server on 526.Dq tcp6 , 527only IPv6 traffic will be routed to the server. 528The kernel may route to the server IPv4 traffic as well, 529under certain configuration. 530See 531.Xr ip6 4 532for details. 533.El 534.Sh FILES 535.Bl -tag -width /etc/hosts.allow -compact 536.It Pa /etc/inetd.conf 537configuration file for all 538.Nm 539provided services 540.It Pa /etc/services 541service name to protocol and port number mappings. 542.It Pa /etc/protocols 543protocol name to protocol number mappings 544.It Pa /etc/rpc 545.Tn Sun-RPC 546service name to service number mappings. 547.It Pa /etc/hosts.allow 548explicit remote host access list. 549.It Pa /etc/hosts.deny 550explicit remote host denial of service list. 551.El 552.Sh SEE ALSO 553.Xr hosts_access 5 , 554.Xr hosts_options 5 , 555.Xr protocols 5 , 556.Xr rpc 5 , 557.Xr services 5 , 558.Xr comsat 8 , 559.Xr fingerd 8 , 560.Xr ftpd 8 , 561.Xr rexecd 8 , 562.Xr rlogind 8 , 563.Xr rshd 8 , 564.Xr telnetd 8 , 565.Xr tftpd 8 566.Rs 567.%A J. Postel 568.%R RFC 569.%N 862 570.%D May 1983 571.%T "Echo Protocol" 572.Re 573.Rs 574.%A J. Postel 575.%R RFC 576.%N 863 577.%D May 1983 578.%T "Discard Protocol" 579.Re 580.Rs 581.%A J. Postel 582.%R RFC 583.%N 864 584.%D May 1983 585.%T "Character Generator Protocol" 586.Re 587.Rs 588.%A J. Postel 589.%R RFC 590.%N 867 591.%D May 1983 592.%T "Daytime Protocol" 593.Re 594.Rs 595.%A J. Postel 596.%A K. Harrenstien 597.%R RFC 598.%N 868 599.%D May 1983 600.%T "Time Protocol" 601.Re 602.Rs 603.%A M. Lottor 604.%R RFC 605.%N 1078 606.%D November 1988 607.%T "TCP port service Multiplexer (TCPMUX)" 608.Re 609.Sh HISTORY 610The 611.Nm 612command appeared in 613.Bx 4.3 . 614Support for 615.Em Sun-RPC 616based services is modeled after that 617provided by SunOS 4.1. 618Support for specifying the socket buffer sizes was added in 619.Nx 1.4 . 620In November 1996, libwrap support was added to provide 621internal tcpd-like access control functionality; 622libwrap is based on Wietse Venema's tcp_wrappers. 623IPv6 support and IPsec hack was made by KAME project, in 1999. 624.Sh BUGS 625Host address specifiers, while they make conceptual sense for RPC 626services, do not work entirely correctly. 627This is largely because the portmapper interface does not provide 628a way to register different ports for the same service on different 629local addresses. 630Provided you never have more than one entry for a given RPC service, 631everything should work correctly (Note that default host address 632specifiers do apply to RPC lines with no explicit specifier.) 633.Pp 634.Dq tcpmux 635on IPv6 is not tested enough. 636.Sh SECURITY CONSIDERATIONS 637Enabling the 638.Dq echo , 639.Dq discard , 640and 641.Dq chargen 642built-in trivial services is not recommended because remote 643users may abuse these to cause a denial of network service to 644or from the local host. 645