1.\" $NetBSD: inetd.8,v 1.56 2009/10/24 12:23:47 reed Exp $ 2.\" 3.\" Copyright (c) 1998 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8.\" NASA Ames Research Center. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.\" Copyright (c) 1985, 1991 The Regents of the University of California. 32.\" All rights reserved. 33.\" 34.\" Redistribution and use in source and binary forms, with or without 35.\" modification, are permitted provided that the following conditions 36.\" are met: 37.\" 1. Redistributions of source code must retain the above copyright 38.\" notice, this list of conditions and the following disclaimer. 39.\" 2. Redistributions in binary form must reproduce the above copyright 40.\" notice, this list of conditions and the following disclaimer in the 41.\" documentation and/or other materials provided with the distribution. 42.\" 3. Neither the name of the University nor the names of its contributors 43.\" may be used to endorse or promote products derived from this software 44.\" without specific prior written permission. 45.\" 46.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 47.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 50.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56.\" SUCH DAMAGE. 57.\" 58.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94 59.\" 60.Dd August 27, 2008 61.Dt INETD 8 62.Os 63.Sh NAME 64.Nm inetd , 65.Nm inetd.conf 66.Nd internet 67.Dq super-server 68.Sh SYNOPSIS 69.Nm 70.Op Fl d 71.Op Fl l 72.Op Ar configuration file 73.Sh DESCRIPTION 74.Nm 75should be run at boot time by 76.Pa /etc/rc 77(see 78.Xr rc 8 ) . 79It then opens sockets according to its configuration and listens 80for connections. 81When a connection is found on one of its sockets, it decides what 82service the socket corresponds to, and invokes a program to service 83the request. 84After the program is finished, it continues to listen on the socket 85(except in some cases which will be described below). 86Essentially, 87.Nm 88allows running one daemon to invoke several others, 89reducing load on the system. 90.Pp 91The options available for 92.Nm : 93.Bl -tag -width Ds 94.It Fl d 95Turns on debugging. 96.It Fl l 97Turns on libwrap connection logging. 98.El 99.Pp 100Upon execution, 101.Nm 102reads its configuration information from a configuration 103file which, by default, is 104.Pa /etc/inetd.conf . 105The path given for this configuration file must be absolute, unless 106the 107.Fl d 108option is also given on the command line. 109There must be an entry for each field of the configuration 110file, with entries for each field separated by a tab or 111a space. 112Comments are denoted by a ``#'' at the beginning of a line. 113There must be an entry for each field (except for one 114special case, described below). 115The fields of the configuration file are as follows: 116.Pp 117.Bd -unfilled -offset indent -compact 118[addr:]service-name 119socket-type[:accept_filter] 120protocol[,sndbuf=size][,rcvbuf=size] 121wait/nowait[:max] 122user[:group] 123server-program 124server program arguments 125.Ed 126.Pp 127To specify an 128.Em Sun-RPC 129based service, the entry would contain these fields: 130.Pp 131.Bd -unfilled -offset indent -compact 132service-name/version 133socket-type 134rpc/protocol[,sndbuf=size][,rcvbuf=size] 135wait/nowait[:max] 136user[:group] 137server-program 138server program arguments 139.Ed 140.Pp 141To specify a UNIX-domain (local) socket, the entry would contain 142these fields: 143.Pp 144.Bd -unfilled -offset indent -compact 145path 146socket-type 147unix[,sndbuf=size][,rcvbuf=size] 148wait/nowait[:max] 149user[:group] 150server-program 151server program arguments 152.Ed 153.Pp 154For Internet services, the first field of the line may also have a host 155address specifier prefixed to it, separated from the service name by a colon. 156If this is done, the string before the colon in the first field 157indicates what local address 158.Nm 159should use when listening for that service, or the single character 160.Dq \&* 161to indicate 162.Dv INADDR_ANY , 163meaning 164.Sq all local addresses . 165To avoid repeating an address that occurs frequently, a line with a 166host address specifier and colon, but no further fields, causes the 167host address specifier to be remembered and used for all further lines 168with no explicit host specifier (until another such line or the end of 169the file). 170A line 171.Dl *: 172is implicitly provided at the top of the file; thus, traditional 173configuration files (which have no host address specifiers) will be 174interpreted in the traditional manner, with all services listened for 175on all local addresses. 176.Pp 177The 178.Em service-name 179entry is the name of a valid service in 180the file 181.Pa /etc/services . 182For 183.Dq internal 184services (discussed below), the service 185name 186.Em must 187be the official name of the service (that is, the first entry in 188.Pa /etc/services ) . 189When used to specify a 190.Em Sun-RPC 191based service, this field is a valid RPC service name in 192the file 193.Pa /etc/rpc . 194The part on the right of the 195.Dq / 196is the RPC version number. 197This can simply be a single numeric argument or a range of versions. 198A range is bounded by the low version to the high version \- 199.Dq rusers/1-3 . 200.Pp 201The 202.Em socket-type 203should be one of 204.Dq stream , 205.Dq dgram , 206.Dq raw , 207.Dq rdm , 208or 209.Dq seqpacket , 210depending on whether the socket is a stream, datagram, raw, 211reliably delivered message, or sequenced packet socket. 212.Pp 213Optionally, an 214.Xr accept_filter 9 215can be specified by appending a colon to the socket-type, followed by 216the name of the desired accept filter. 217In this case 218.Nm 219will not see new connections for the specified service until the accept 220filter decides they are ready to be handled. 221.Pp 222The 223.Em protocol 224must be a valid protocol as given in 225.Pa /etc/protocols 226or the string 227.Dq unix . 228Examples might be 229.Dq tcp 230and 231.Dq udp . 232Rpc based services are specified with the 233.Dq rpc/tcp 234or 235.Dq rpc/udp 236service type. 237.Dq tcp 238and 239.Dq udp 240will be recognized as 241.Dq TCP or UDP over default IP version . 242It is currently IPv4, but in the future it will be IPv6. 243If you need to specify IPv4 or IPv6 explicitly, use something like 244.Dq tcp4 245or 246.Dq udp6 . 247If you would like to enable special support for 248.Xr faithd 8 , 249prepend a keyword 250.Dq faith 251into 252.Em protocol , 253like 254.Dq faith/tcp6 . 255.Pp 256In addition to the protocol, the configuration file may specify the 257send and receive socket buffer sizes for the listening socket. 258This is especially useful for 259.Tn TCP 260as the window scale factor, which is based on the receive socket 261buffer size, is advertised when the connection handshake occurs, 262thus the socket buffer size for the server must be set on the listen socket. 263By increasing the socket buffer sizes, better 264.Tn TCP 265performance may be realized in some situations. 266The socket buffer sizes are specified by appending their values to 267the protocol specification as follows: 268.Bd -literal -offset indent 269tcp,rcvbuf=16384 270tcp,sndbuf=64k 271tcp,rcvbuf=64k,sndbuf=1m 272.Ed 273.Pp 274A literal value may be specified, or modified using 275.Sq k 276to indicate kilobytes or 277.Sq m 278to indicate megabytes. 279Socket buffer sizes may be specified for all 280services and protocols except for tcpmux services. 281.Pp 282The 283.Em wait/nowait 284entry is used to tell 285.Nm 286if it should wait for the server program to return, 287or continue processing connections on the socket. 288If a datagram server connects 289to its peer, freeing the socket so 290.Nm 291can receive further messages on the socket, it is said to be 292a 293.Dq multi-threaded 294server, and should use the 295.Dq nowait 296entry. 297For datagram servers which process all incoming datagrams 298on a socket and eventually time out, the server is said to be 299.Dq single-threaded 300and should use a 301.Dq wait 302entry. 303.Xr comsat 8 304.Pq Xr biff 1 305and 306.Xr ntalkd 8 307are both examples of the latter type of 308datagram server. 309.Xr tftpd 8 310is an exception; it is a datagram server that establishes pseudo-connections. 311It must be listed as 312.Dq wait 313in order to avoid a race; 314the server reads the first packet, creates a new socket, 315and then forks and exits to allow 316.Nm 317to check for new service requests to spawn new servers. 318The optional 319.Dq max 320suffix (separated from 321.Dq wait 322or 323.Dq nowait 324by a dot or a colon) specifies the maximum number of server instances that may 325be spawned from 326.Nm 327within an interval of 60 seconds. 328When omitted, 329.Dq max 330defaults to 40. 331If it reaches this maximum spawn rate, 332.Nm 333will log the problem (via the syslogger using the LOG_DAEMON 334facility and LOG_ERR level) 335and stop handling the specific service for ten minutes. 336.Pp 337Stream servers are usually marked as 338.Dq nowait 339but if a single server process is to handle multiple connections, it may be 340marked as 341.Dq wait . 342The master socket will then be passed as fd 0 to the server, which will then 343need to accept the incoming connection. 344The server should eventually time 345out and exit when no more connections are active. 346.Nm 347will continue to 348listen on the master socket for connections, so the server should not close 349it when it exits. 350.Xr identd 8 351is usually the only stream server marked as wait. 352.Pp 353The 354.Em user 355entry should contain the user name of the user as whom the server should run. 356This allows for servers to be given less permission than root. 357Optionally, a group can be specified by appending a colon to the user name, 358followed by the group name (it is possible to use a dot (``.'') in lieu of a 359colon, however this feature is provided only for backward compatibility). 360This allows for servers to run with a different (primary) group id than 361specified in the password file. 362If a group is specified and 363.Em user 364is not root, the supplementary groups associated with that user will still be 365set. 366.Pp 367The 368.Em server-program 369entry should contain the pathname of the program which is to be 370executed by 371.Nm 372when a request is found on its socket. 373If 374.Nm 375provides this service internally, this entry should 376be 377.Dq internal . 378.Pp 379The 380.Em server program arguments 381should be just as arguments 382normally are, starting with argv[0], which is the name of 383the program. 384If the service is provided internally, the 385word 386.Dq internal 387should take the place of this entry. 388It is possible to quote an argument using either single or double quotes. 389This allows you to have, e.g., spaces in paths and parameters. 390.Ss Internal Services 391.Nm 392provides several 393.Qq trivial 394services internally by use of routines within itself. 395These services are 396.Qq echo , 397.Qq discard , 398.Qq chargen 399(character generator), 400.Qq daytime 401(human readable time), and 402.Qq time 403(machine readable time, 404in the form of the number of seconds since midnight, January 1, 1900 GMT). 405For details of these services, consult the appropriate 406.Tn RFC . 407.Pp 408TCP services without official port numbers can be handled with the 409RFC1078-based tcpmux internal service. 410TCPmux listens on port 1 for requests. 411When a connection is made from a foreign host, the service name 412requested is passed to TCPmux, which performs a lookup in the 413service name table provided by 414.Pa /etc/inetd.conf 415and returns the proper entry for the service. 416TCPmux returns a negative reply if the service doesn't exist, 417otherwise the invoked server is expected to return the positive 418reply if the service type in 419.Pa /etc/inetd.conf 420file has the prefix 421.Qq tcpmux/ . 422If the service type has the 423prefix 424.Qq tcpmux/+ , 425TCPmux will return the positive reply for the 426process; this is for compatibility with older server code, and also 427allows you to invoke programs that use stdin/stdout without putting any 428special server code in them. 429Services that use TCPmux are 430.Qq nowait 431because they do not have a well-known port number and hence cannot listen 432for new requests. 433.Pp 434.Nm 435rereads its configuration file when it receives a hangup signal, 436.Dv SIGHUP . 437Services may be added, deleted or modified when the configuration file 438is reread. 439.Nm 440creates a file 441.Em /var/run/inetd.pid 442that contains its process identifier. 443.Ss libwrap 444Support for 445.Tn TCP 446wrappers is included with 447.Nm 448to provide internal tcpd-like access control functionality. 449An external tcpd program is not needed. 450You do not need to change the 451.Pa /etc/inetd.conf 452server-program entry to enable this capability. 453.Nm 454uses 455.Pa /etc/hosts.allow 456and 457.Pa /etc/hosts.deny 458for access control facility configurations, as described in 459.Xr hosts_access 5 . 460.Pp 461.Em Nota Bene : 462.Tn TCP 463wrappers do not affect/restrict 464.Tn UDP 465or internal services. 466.Ss IPsec 467The implementation includes a tiny hack to support IPsec policy settings for 468each socket. 469A special form of the comment line, starting with 470.Dq Li "#@" , 471is used as a policy specifier. 472The content of the above comment line will be treated as a IPsec policy string, 473as described in 474.Xr ipsec_set_policy 3 . 475Multiple IPsec policy strings may be specified by using a semicolon 476as a separator. 477If conflicting policy strings are found in a single line, 478the last string will take effect. 479A 480.Li "#@" 481line affects all of the following lines in 482.Pa /etc/inetd.conf , 483so you may want to reset the IPsec policy by using a comment line containing 484only 485.Li "#@" 486.Pq with no policy string . 487.Pp 488If an invalid IPsec policy string appears in 489.Pa /etc/inetd.conf , 490.Nm 491logs an error message using 492.Xr syslog 3 493and terminates itself. 494.Ss IPv6 TCP/UDP behavior 495If you wish to run a server for both IPv4 and IPv6 traffic, 496you will need to run two separate processes for the same server program, 497specified as two separate lines in 498.Pa /etc/inetd.conf 499using 500.Dq tcp4 501and 502.Dq tcp6 503respectively. 504Plain 505.Dq tcp 506means TCP on top of the current default IP version, 507which is, at this moment, IPv4. 508.Pp 509Under various combination of IPv4/v6 daemon settings, 510.Nm 511will behave as follows: 512.Bl -bullet -compact 513.It 514If you have only one server on 515.Dq tcp4 , 516IPv4 traffic will be routed to the server. 517IPv6 traffic will not be accepted. 518.It 519If you have two servers on 520.Dq tcp4 521and 522.Dq tcp6 , 523IPv4 traffic will be routed to the server on 524.Dq tcp4 , 525and IPv6 traffic will go to server on 526.Dq tcp6 . 527.It 528If you have only one server on 529.Dq tcp6 , 530only IPv6 traffic will be routed to the server. 531The kernel may route to the server IPv4 traffic as well, 532under certain configuration. 533See 534.Xr ip6 4 535for details. 536.El 537.Sh FILES 538.Bl -tag -width /etc/hosts.allow -compact 539.It Pa /etc/inetd.conf 540configuration file for all 541.Nm 542provided services 543.It Pa /etc/services 544service name to protocol and port number mappings. 545.It Pa /etc/protocols 546protocol name to protocol number mappings 547.It Pa /etc/rpc 548.Tn Sun-RPC 549service name to service number mappings. 550.It Pa /etc/hosts.allow 551explicit remote host access list. 552.It Pa /etc/hosts.deny 553explicit remote host denial of service list. 554.El 555.Sh SEE ALSO 556.Xr hosts_access 5 , 557.Xr hosts_options 5 , 558.Xr protocols 5 , 559.Xr rpc 5 , 560.Xr services 5 , 561.Xr comsat 8 , 562.Xr fingerd 8 , 563.Xr ftpd 8 , 564.Xr rexecd 8 , 565.Xr rlogind 8 , 566.Xr rshd 8 , 567.Xr telnetd 8 , 568.Xr tftpd 8 569.Rs 570.%A J. Postel 571.%R RFC 572.%N 862 573.%D May 1983 574.%T "Echo Protocol" 575.Re 576.Rs 577.%A J. Postel 578.%R RFC 579.%N 863 580.%D May 1983 581.%T "Discard Protocol" 582.Re 583.Rs 584.%A J. Postel 585.%R RFC 586.%N 864 587.%D May 1983 588.%T "Character Generator Protocol" 589.Re 590.Rs 591.%A J. Postel 592.%R RFC 593.%N 867 594.%D May 1983 595.%T "Daytime Protocol" 596.Re 597.Rs 598.%A J. Postel 599.%A K. Harrenstien 600.%R RFC 601.%N 868 602.%D May 1983 603.%T "Time Protocol" 604.Re 605.Rs 606.%A M. Lottor 607.%R RFC 608.%N 1078 609.%D November 1988 610.%T "TCP port service Multiplexer (TCPMUX)" 611.Re 612.Sh HISTORY 613The 614.Nm 615command appeared in 616.Bx 4.3 . 617Support for 618.Em Sun-RPC 619based services is modeled after that 620provided by SunOS 4.1. 621Support for specifying the socket buffer sizes was added in 622.Nx 1.4 . 623In November 1996, libwrap support was added to provide 624internal tcpd-like access control functionality; 625libwrap is based on Wietse Venema's tcp_wrappers. 626IPv6 support and IPsec hack was made by KAME project, in 1999. 627.Sh BUGS 628Host address specifiers, while they make conceptual sense for RPC 629services, do not work entirely correctly. 630This is largely because the portmapper interface does not provide 631a way to register different ports for the same service on different 632local addresses. 633Provided you never have more than one entry for a given RPC service, 634everything should work correctly (Note that default host address 635specifiers do apply to RPC lines with no explicit specifier.) 636.Pp 637.Dq tcpmux 638on IPv6 is not tested enough. 639.Sh SECURITY CONSIDERATIONS 640Enabling the 641.Dq echo , 642.Dq discard , 643and 644.Dq chargen 645built-in trivial services is not recommended because remote 646users may abuse these to cause a denial of network service to 647or from the local host. 648