1.\" $NetBSD: inetd.8,v 1.61 2017/07/20 07:42:54 wiz Exp $ 2.\" 3.\" Copyright (c) 1998 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8.\" NASA Ames Research Center. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.\" Copyright (c) 1985, 1991 The Regents of the University of California. 32.\" All rights reserved. 33.\" 34.\" Redistribution and use in source and binary forms, with or without 35.\" modification, are permitted provided that the following conditions 36.\" are met: 37.\" 1. Redistributions of source code must retain the above copyright 38.\" notice, this list of conditions and the following disclaimer. 39.\" 2. Redistributions in binary form must reproduce the above copyright 40.\" notice, this list of conditions and the following disclaimer in the 41.\" documentation and/or other materials provided with the distribution. 42.\" 3. Neither the name of the University nor the names of its contributors 43.\" may be used to endorse or promote products derived from this software 44.\" without specific prior written permission. 45.\" 46.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 47.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 50.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56.\" SUCH DAMAGE. 57.\" 58.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94 59.\" 60.Dd July 19, 2017 61.Dt INETD 8 62.Os 63.Sh NAME 64.Nm inetd , 65.Nm inetd.conf 66.Nd internet 67.Dq super-server 68.Sh SYNOPSIS 69.Nm 70.Op Fl d 71.Op Fl l 72.Op Ar configuration file 73.Sh DESCRIPTION 74.Nm 75should be run at boot time by 76.Pa /etc/rc 77(see 78.Xr rc 8 ) . 79It then opens sockets according to its configuration and listens 80for connections. 81When a connection is found on one of its sockets, it decides what 82service the socket corresponds to, and invokes a program to service 83the request. 84After the program is finished, it continues to listen on the socket 85(except in some cases which will be described below). 86Essentially, 87.Nm 88allows running one daemon to invoke several others, 89reducing load on the system. 90.Pp 91The options available for 92.Nm : 93.Bl -tag -width Ds 94.It Fl d 95Turns on debugging. 96.It Fl l 97Turns on libwrap connection logging. 98.El 99.Pp 100Upon execution, 101.Nm 102reads its configuration information from a configuration 103file which, by default, is 104.Pa /etc/inetd.conf . 105The path given for this configuration file must be absolute, unless 106the 107.Fl d 108option is also given on the command line. 109There must be an entry for each field of the configuration 110file, with entries for each field separated by a tab or 111a space. 112Comments are denoted by a ``#'' at the beginning of a line. 113There must be an entry for each field (except for one 114special case, described below). 115The fields of the configuration file are as follows: 116.Pp 117.Bd -unfilled -offset indent -compact 118[listen-addr:]service-spec 119socket-type[:accept-filter] 120protocol[,sndbuf=size][,rcvbuf=size] 121wait/nowait[:max] 122user[:group] 123server-program 124server program arguments 125.Ed 126.Pp 127The 128.Em listen-addr 129specifies the local address 130.Nm 131should use when listening. 132The single character 133.Dq \&* 134means 135.Dv INADDR_ANY : 136all local addresses. 137To avoid the need to repeat listen addresses over and over again, 138listen addresses are inherited from line to line, and the listen 139address can be changed without defining a service by including a line 140containing just 141a 142.Em listen-addr 143followed by a colon. 144The default (compatible with historical configuration files) is \&*. 145To return to this behavior after configuring some services with 146specific listen addresses, give \&* explicitly. 147.Pp 148Note that restricted listen addresses are meaningless and ignored for 149UNIX-domain services, and are not supported for 150.Em Sun-RPC 151services. 152All 153.Em Sun-RPC 154services always listen on all interfaces. 155.Pp 156The form of the 157.Em service-spec 158varies with the service type. 159For Internet services, the 160.Em service-spec 161can be either the name of a service from 162.Pa /etc/services 163or a decimal port number. 164For 165.Dq internal 166services (discussed below), the service name 167.Em must 168be the official name of the service (that is, the first entry in 169.Pa /etc/services ) 170and not an alias for it. 171.Pp 172For 173.Em Sun-RPC 174based services, the 175.Em service-spec 176has the form 177.Em service-name Ns Li / Ns Em version . 178The service name must be a valid RPC service name from 179the file 180.Pa /etc/rpc . 181The 182.Em version 183on the right of the 184.Dq / 185is the RPC version number. 186This can simply be a single numeric argument or a range of versions. 187A range is bounded by the low version to the high version \- e.g. 188.Dq rusers/1-3 . 189.Pp 190For UNIX-domain (local) services, the 191.Em service-spec 192is the path name to listen on. 193.Pp 194The 195.Em socket-type 196should be one of 197.Dq stream , 198.Dq dgram , 199.Dq raw , 200.Dq rdm , 201or 202.Dq seqpacket , 203depending on whether the socket is a stream, datagram, raw, 204reliably delivered message, or sequenced packet socket. 205.Pp 206Optionally, for Internet services, an accept filter 207(see 208.Xr accept_filter 9 ) 209can be specified by appending a colon to 210.Em socket-type , 211followed by 212the name of the desired accept filter. 213In this case 214.Nm 215will not see new connections for the specified service until the accept 216filter decides they are ready to be handled. 217.\" XXX: do accept filters work for AF_UNIX sockets? nobody probably 218.\" cares, but... 219.Pp 220The 221.Em protocol 222must be a valid protocol as given in 223.Pa /etc/protocols 224or (for UNIX-domain services) the string 225.Dq unix . 226The most common are 227.Dq tcp 228and 229.Dq udp . 230For TCP and UDP, the IP version (4 or 6) may be specified explicitly 231by appending 4 or 6 to the protocol name. 232Otherwise the default version (IPv4) is used. 233For 234.Em Sun-RPC 235the string 236.Dq rpc 237and a slash should be prepended: 238.Dq rpc/tcp 239or 240.Dq rpc/udp . 241If you would like to enable special support for 242.Xr faithd 8 , 243prepend the string 244.Dq faith 245and a slash: 246.Dq faith/tcp6 . 247.Pp 248In addition to the protocol, the configuration file may specify the 249send and receive socket buffer sizes for the listening socket. 250This is especially useful for 251.Tn TCP : 252the window scale factor, which is based on the receive socket 253buffer size, is advertised when the connection handshake occurs 254and thus the socket buffer size must be set on the listen socket. 255By increasing the socket buffer sizes, better 256.Tn TCP 257performance may be realized in some situations. 258The socket buffer sizes are specified by appending their values to 259the protocol specification as follows: 260.Bd -literal -offset indent 261tcp,rcvbuf=16384 262tcp,sndbuf=64k 263tcp,rcvbuf=64k,sndbuf=1m 264.Ed 265.Pp 266A literal value may be specified, or modified using 267.Sq k 268to indicate kilobytes or 269.Sq m 270to indicate megabytes. 271Socket buffer sizes may be specified for all 272services and protocols except for tcpmux services. 273.Pp 274The 275.Em wait/nowait 276entry is used to tell 277.Nm 278if it should wait for the server program to return, 279or continue processing connections on the socket. 280If a datagram server connects 281to its peer, freeing the socket so 282.Nm 283can receive further messages on the socket, it is said to be 284a 285.Dq multi-threaded 286server, and should use the 287.Dq nowait 288entry. 289For datagram servers which process all incoming datagrams 290on a socket and eventually time out, the server is said to be 291.Dq single-threaded 292and should use a 293.Dq wait 294entry. 295.Xr comsat 8 296.Pq Xr biff 1 297and 298.Xr ntalkd 8 299are both examples of the latter type of 300datagram server. 301.Xr tftpd 8 302is an exception; it is a datagram server that establishes pseudo-connections. 303It must be listed as 304.Dq wait 305in order to avoid a race; 306the server reads the first packet, creates a new socket, 307and then forks and exits to allow 308.Nm 309to check for new service requests to spawn new servers. 310The optional 311.Dq max 312suffix (separated from 313.Dq wait 314or 315.Dq nowait 316by a dot or a colon) specifies the maximum number of server instances that may 317be spawned from 318.Nm 319within an interval of 60 seconds. 320When omitted, 321.Dq max 322defaults to 40. 323If it reaches this maximum spawn rate, 324.Nm 325will log the problem (via the syslogger using the 326.Dv LOG_DAEMON 327facility and 328.Dv LOG_ERR 329level) 330and stop handling the specific service for ten minutes. 331.Pp 332Stream servers are usually marked as 333.Dq nowait 334but if a single server process is to handle multiple connections, it may be 335marked as 336.Dq wait . 337The master socket will then be passed as fd 0 to the server, which will then 338need to accept the incoming connection. 339The server should eventually time 340out and exit when no more connections are active. 341.Nm 342will continue to 343listen on the master socket for connections, so the server should not close 344it when it exits. 345.Xr identd 8 346is usually the only stream server marked as wait. 347.Pp 348The 349.Em user 350entry should contain the user name of the user as whom the server should run. 351This allows for servers to be given less permission than root. 352Optionally, a group can be specified by appending a colon to the user name, 353followed by the group name (it is possible to use a dot (``.'') in lieu of a 354colon, however this feature is provided only for backward compatibility). 355This allows for servers to run with a different (primary) group id than 356specified in the password file. 357If a group is specified and 358.Em user 359is not root, the supplementary groups associated with that user will still be 360set. 361.Pp 362The 363.Em server-program 364entry should contain the pathname of the program which is to be 365executed by 366.Nm 367when a request is found on its socket. 368If 369.Nm 370provides this service internally, this entry should 371be 372.Dq internal . 373.Pp 374The 375.Em server program arguments 376should be just as arguments 377normally are, starting with argv[0], which is the name of 378the program. 379If the service is provided internally, the 380word 381.Dq internal 382should take the place of this entry. 383It is possible to quote an argument using either single or double quotes. 384This allows you to have, e.g., spaces in paths and parameters. 385.Ss Internal Services 386.Nm 387provides several 388.Qq trivial 389services internally by use of routines within itself. 390These services are 391.Qq echo , 392.Qq discard , 393.Qq chargen 394(character generator), 395.Qq daytime 396(human readable time), and 397.Qq time 398(machine readable time, 399in the form of the number of seconds since midnight, January 1, 1900 GMT). 400For details of these services, consult the appropriate 401.Tn RFC . 402.Pp 403TCP services without official port numbers can be handled with the 404RFC1078-based tcpmux internal service. 405TCPmux listens on port 1 for requests. 406When a connection is made from a foreign host, the service name 407requested is passed to TCPmux, which performs a lookup in the 408service name table provided by 409.Pa /etc/inetd.conf 410and returns the proper entry for the service. 411TCPmux returns a negative reply if the service doesn't exist, 412otherwise the invoked server is expected to return the positive 413reply if the service type in 414.Pa /etc/inetd.conf 415file has the prefix 416.Qq tcpmux/ . 417If the service type has the 418prefix 419.Qq tcpmux/+ , 420TCPmux will return the positive reply for the 421process; this is for compatibility with older server code, and also 422allows you to invoke programs that use stdin/stdout without putting any 423special server code in them. 424Services that use TCPmux are 425.Qq nowait 426because they do not have a well-known port number and hence cannot listen 427for new requests. 428.Pp 429.Nm 430rereads its configuration file when it receives a hangup signal, 431.Dv SIGHUP . 432Services may be added, deleted or modified when the configuration file 433is reread. 434.Nm 435creates a file 436.Em /var/run/inetd.pid 437that contains its process identifier. 438.Ss libwrap 439Support for 440.Tn TCP 441wrappers is included with 442.Nm 443to provide internal tcpd-like access control functionality. 444An external tcpd program is not needed. 445You do not need to change the 446.Pa /etc/inetd.conf 447server-program entry to enable this capability. 448.Nm 449uses 450.Pa /etc/hosts.allow 451and 452.Pa /etc/hosts.deny 453for access control facility configurations, as described in 454.Xr hosts_access 5 . 455.Pp 456.Em Nota Bene : 457.Tn TCP 458wrappers do not affect/restrict 459.Tn UDP 460or internal services. 461.Ss IPsec 462The implementation includes a tiny hack to support IPsec policy settings for 463each socket. 464A special form of the comment line, starting with 465.Dq Li "#@" , 466is used as a policy specifier. 467The content of the above comment line will be treated as a IPsec policy string, 468as described in 469.Xr ipsec_set_policy 3 . 470Multiple IPsec policy strings may be specified by using a semicolon 471as a separator. 472If conflicting policy strings are found in a single line, 473the last string will take effect. 474A 475.Li "#@" 476line affects all of the following lines in 477.Pa /etc/inetd.conf , 478so you may want to reset the IPsec policy by using a comment line containing 479only 480.Li "#@" 481.Pq with no policy string . 482.Pp 483If an invalid IPsec policy string appears in 484.Pa /etc/inetd.conf , 485.Nm 486logs an error message using 487.Xr syslog 3 488and terminates itself. 489.Ss IPv6 TCP/UDP behavior 490If you wish to run a server for both IPv4 and IPv6 traffic, 491you will need to run two separate processes for the same server program, 492specified as two separate lines in 493.Pa /etc/inetd.conf 494using 495.Dq tcp4 496and 497.Dq tcp6 498respectively. 499Plain 500.Dq tcp 501means TCP on top of the current default IP version, 502which is, at this moment, IPv4. 503.Pp 504Under various combination of IPv4/v6 daemon settings, 505.Nm 506will behave as follows: 507.Bl -bullet -compact 508.It 509If you have only one server on 510.Dq tcp4 , 511IPv4 traffic will be routed to the server. 512IPv6 traffic will not be accepted. 513.It 514If you have two servers on 515.Dq tcp4 516and 517.Dq tcp6 , 518IPv4 traffic will be routed to the server on 519.Dq tcp4 , 520and IPv6 traffic will go to server on 521.Dq tcp6 . 522.It 523If you have only one server on 524.Dq tcp6 , 525only IPv6 traffic will be routed to the server. 526The kernel may route to the server IPv4 traffic as well, 527under certain configuration. 528See 529.Xr ip6 4 530for details. 531.El 532.Sh FILES 533.Bl -tag -width /etc/hosts.allow -compact 534.It Pa /etc/inetd.conf 535configuration file for all 536.Nm 537provided services 538.It Pa /etc/services 539service name to protocol and port number mappings. 540.It Pa /etc/protocols 541protocol name to protocol number mappings 542.It Pa /etc/rpc 543.Tn Sun-RPC 544service name to service number mappings. 545.It Pa /etc/hosts.allow 546explicit remote host access list. 547.It Pa /etc/hosts.deny 548explicit remote host denial of service list. 549.El 550.Sh SEE ALSO 551.Xr hosts_access 5 , 552.Xr hosts_options 5 , 553.Xr protocols 5 , 554.Xr rpc 5 , 555.Xr services 5 , 556.Xr comsat 8 , 557.Xr fingerd 8 , 558.Xr ftpd 8 , 559.Xr rexecd 8 , 560.Xr rlogind 8 , 561.Xr rshd 8 , 562.Xr telnetd 8 , 563.Xr tftpd 8 564.Rs 565.%A J. Postel 566.%R RFC 567.%N 862 568.%D May 1983 569.%T "Echo Protocol" 570.Re 571.Rs 572.%A J. Postel 573.%R RFC 574.%N 863 575.%D May 1983 576.%T "Discard Protocol" 577.Re 578.Rs 579.%A J. Postel 580.%R RFC 581.%N 864 582.%D May 1983 583.%T "Character Generator Protocol" 584.Re 585.Rs 586.%A J. Postel 587.%R RFC 588.%N 867 589.%D May 1983 590.%T "Daytime Protocol" 591.Re 592.Rs 593.%A J. Postel 594.%A K. Harrenstien 595.%R RFC 596.%N 868 597.%D May 1983 598.%T "Time Protocol" 599.Re 600.Rs 601.%A M. Lottor 602.%R RFC 603.%N 1078 604.%D November 1988 605.%T "TCP port service Multiplexer (TCPMUX)" 606.Re 607.Sh HISTORY 608The 609.Nm 610command appeared in 611.Bx 4.3 . 612Support for 613.Em Sun-RPC 614based services is modeled after that 615provided by SunOS 4.1. 616Support for specifying the socket buffer sizes was added in 617.Nx 1.4 . 618In November 1996, libwrap support was added to provide 619internal tcpd-like access control functionality; 620libwrap is based on Wietse Venema's tcp_wrappers. 621IPv6 support and IPsec hack was made by KAME project, in 1999. 622.Sh BUGS 623Host address specifiers, while they make conceptual sense for RPC 624services, do not work entirely correctly. 625This is largely because the portmapper interface does not provide 626a way to register different ports for the same service on different 627local addresses. 628Provided you never have more than one entry for a given RPC service, 629everything should work correctly (Note that default host address 630specifiers do apply to RPC lines with no explicit specifier.) 631.Pp 632.Dq tcpmux 633on IPv6 is not tested enough. 634.Sh SECURITY CONSIDERATIONS 635Enabling the 636.Dq echo , 637.Dq discard , 638and 639.Dq chargen 640built-in trivial services is not recommended because remote 641users may abuse these to cause a denial of network service to 642or from the local host. 643