1.\" $NetBSD: inetd.8,v 1.57 2011/04/25 22:12:05 wiz Exp $ 2.\" 3.\" Copyright (c) 1998 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8.\" NASA Ames Research Center. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.\" Copyright (c) 1985, 1991 The Regents of the University of California. 32.\" All rights reserved. 33.\" 34.\" Redistribution and use in source and binary forms, with or without 35.\" modification, are permitted provided that the following conditions 36.\" are met: 37.\" 1. Redistributions of source code must retain the above copyright 38.\" notice, this list of conditions and the following disclaimer. 39.\" 2. Redistributions in binary form must reproduce the above copyright 40.\" notice, this list of conditions and the following disclaimer in the 41.\" documentation and/or other materials provided with the distribution. 42.\" 3. Neither the name of the University nor the names of its contributors 43.\" may be used to endorse or promote products derived from this software 44.\" without specific prior written permission. 45.\" 46.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 47.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 50.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56.\" SUCH DAMAGE. 57.\" 58.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94 59.\" 60.Dd August 27, 2008 61.Dt INETD 8 62.Os 63.Sh NAME 64.Nm inetd , 65.Nm inetd.conf 66.Nd internet 67.Dq super-server 68.Sh SYNOPSIS 69.Nm 70.Op Fl d 71.Op Fl l 72.Op Ar configuration file 73.Sh DESCRIPTION 74.Nm 75should be run at boot time by 76.Pa /etc/rc 77(see 78.Xr rc 8 ) . 79It then opens sockets according to its configuration and listens 80for connections. 81When a connection is found on one of its sockets, it decides what 82service the socket corresponds to, and invokes a program to service 83the request. 84After the program is finished, it continues to listen on the socket 85(except in some cases which will be described below). 86Essentially, 87.Nm 88allows running one daemon to invoke several others, 89reducing load on the system. 90.Pp 91The options available for 92.Nm : 93.Bl -tag -width Ds 94.It Fl d 95Turns on debugging. 96.It Fl l 97Turns on libwrap connection logging. 98.El 99.Pp 100Upon execution, 101.Nm 102reads its configuration information from a configuration 103file which, by default, is 104.Pa /etc/inetd.conf . 105The path given for this configuration file must be absolute, unless 106the 107.Fl d 108option is also given on the command line. 109There must be an entry for each field of the configuration 110file, with entries for each field separated by a tab or 111a space. 112Comments are denoted by a ``#'' at the beginning of a line. 113There must be an entry for each field (except for one 114special case, described below). 115The fields of the configuration file are as follows: 116.Pp 117.Bd -unfilled -offset indent -compact 118[addr:]service-name 119socket-type[:accept_filter] 120protocol[,sndbuf=size][,rcvbuf=size] 121wait/nowait[:max] 122user[:group] 123server-program 124server program arguments 125.Ed 126.Pp 127To specify an 128.Em Sun-RPC 129based service, the entry would contain these fields: 130.Pp 131.Bd -unfilled -offset indent -compact 132service-name/version 133socket-type 134rpc/protocol[,sndbuf=size][,rcvbuf=size] 135wait/nowait[:max] 136user[:group] 137server-program 138server program arguments 139.Ed 140.Pp 141To specify a UNIX-domain (local) socket, the entry would contain 142these fields: 143.Pp 144.Bd -unfilled -offset indent -compact 145path 146socket-type 147unix[,sndbuf=size][,rcvbuf=size] 148wait/nowait[:max] 149user[:group] 150server-program 151server program arguments 152.Ed 153.Pp 154For Internet services, the first field of the line may also have a host 155address specifier prefixed to it, separated from the service name by a colon. 156If this is done, the string before the colon in the first field 157indicates what local address 158.Nm 159should use when listening for that service, or the single character 160.Dq \&* 161to indicate 162.Dv INADDR_ANY , 163meaning 164.Sq all local addresses . 165To avoid repeating an address that occurs frequently, a line with a 166host address specifier and colon, but no further fields, causes the 167host address specifier to be remembered and used for all further lines 168with no explicit host specifier (until another such line or the end of 169the file). 170A line 171.Dl *: 172is implicitly provided at the top of the file; thus, traditional 173configuration files (which have no host address specifiers) will be 174interpreted in the traditional manner, with all services listened for 175on all local addresses. 176.Pp 177The 178.Em service-name 179entry is the name of a valid service in 180the file 181.Pa /etc/services . 182For 183.Dq internal 184services (discussed below), the service 185name 186.Em must 187be the official name of the service (that is, the first entry in 188.Pa /etc/services ) . 189When used to specify a 190.Em Sun-RPC 191based service, this field is a valid RPC service name in 192the file 193.Pa /etc/rpc . 194The part on the right of the 195.Dq / 196is the RPC version number. 197This can simply be a single numeric argument or a range of versions. 198A range is bounded by the low version to the high version \- 199.Dq rusers/1-3 . 200.Pp 201The 202.Em socket-type 203should be one of 204.Dq stream , 205.Dq dgram , 206.Dq raw , 207.Dq rdm , 208or 209.Dq seqpacket , 210depending on whether the socket is a stream, datagram, raw, 211reliably delivered message, or sequenced packet socket. 212.Pp 213Optionally, an 214.Xr accept_filter 9 215can be specified by appending a colon to the socket-type, followed by 216the name of the desired accept filter. 217In this case 218.Nm 219will not see new connections for the specified service until the accept 220filter decides they are ready to be handled. 221.Pp 222The 223.Em protocol 224must be a valid protocol as given in 225.Pa /etc/protocols 226or the string 227.Dq unix . 228Examples might be 229.Dq tcp 230and 231.Dq udp . 232Rpc based services are specified with the 233.Dq rpc/tcp 234or 235.Dq rpc/udp 236service type. 237.Dq tcp 238and 239.Dq udp 240will be recognized as 241.Dq TCP or UDP over default IP version . 242It is currently IPv4, but in the future it will be IPv6. 243If you need to specify IPv4 or IPv6 explicitly, use something like 244.Dq tcp4 245or 246.Dq udp6 . 247If you would like to enable special support for 248.Xr faithd 8 , 249prepend a keyword 250.Dq faith 251into 252.Em protocol , 253like 254.Dq faith/tcp6 . 255.Pp 256In addition to the protocol, the configuration file may specify the 257send and receive socket buffer sizes for the listening socket. 258This is especially useful for 259.Tn TCP 260as the window scale factor, which is based on the receive socket 261buffer size, is advertised when the connection handshake occurs, 262thus the socket buffer size for the server must be set on the listen socket. 263By increasing the socket buffer sizes, better 264.Tn TCP 265performance may be realized in some situations. 266The socket buffer sizes are specified by appending their values to 267the protocol specification as follows: 268.Bd -literal -offset indent 269tcp,rcvbuf=16384 270tcp,sndbuf=64k 271tcp,rcvbuf=64k,sndbuf=1m 272.Ed 273.Pp 274A literal value may be specified, or modified using 275.Sq k 276to indicate kilobytes or 277.Sq m 278to indicate megabytes. 279Socket buffer sizes may be specified for all 280services and protocols except for tcpmux services. 281.Pp 282The 283.Em wait/nowait 284entry is used to tell 285.Nm 286if it should wait for the server program to return, 287or continue processing connections on the socket. 288If a datagram server connects 289to its peer, freeing the socket so 290.Nm 291can receive further messages on the socket, it is said to be 292a 293.Dq multi-threaded 294server, and should use the 295.Dq nowait 296entry. 297For datagram servers which process all incoming datagrams 298on a socket and eventually time out, the server is said to be 299.Dq single-threaded 300and should use a 301.Dq wait 302entry. 303.Xr comsat 8 304.Pq Xr biff 1 305and 306.Xr ntalkd 8 307are both examples of the latter type of 308datagram server. 309.Xr tftpd 8 310is an exception; it is a datagram server that establishes pseudo-connections. 311It must be listed as 312.Dq wait 313in order to avoid a race; 314the server reads the first packet, creates a new socket, 315and then forks and exits to allow 316.Nm 317to check for new service requests to spawn new servers. 318The optional 319.Dq max 320suffix (separated from 321.Dq wait 322or 323.Dq nowait 324by a dot or a colon) specifies the maximum number of server instances that may 325be spawned from 326.Nm 327within an interval of 60 seconds. 328When omitted, 329.Dq max 330defaults to 40. 331If it reaches this maximum spawn rate, 332.Nm 333will log the problem (via the syslogger using the 334.Dv LOG_DAEMON 335facility and 336.Dv LOG_ERR 337level) 338and stop handling the specific service for ten minutes. 339.Pp 340Stream servers are usually marked as 341.Dq nowait 342but if a single server process is to handle multiple connections, it may be 343marked as 344.Dq wait . 345The master socket will then be passed as fd 0 to the server, which will then 346need to accept the incoming connection. 347The server should eventually time 348out and exit when no more connections are active. 349.Nm 350will continue to 351listen on the master socket for connections, so the server should not close 352it when it exits. 353.Xr identd 8 354is usually the only stream server marked as wait. 355.Pp 356The 357.Em user 358entry should contain the user name of the user as whom the server should run. 359This allows for servers to be given less permission than root. 360Optionally, a group can be specified by appending a colon to the user name, 361followed by the group name (it is possible to use a dot (``.'') in lieu of a 362colon, however this feature is provided only for backward compatibility). 363This allows for servers to run with a different (primary) group id than 364specified in the password file. 365If a group is specified and 366.Em user 367is not root, the supplementary groups associated with that user will still be 368set. 369.Pp 370The 371.Em server-program 372entry should contain the pathname of the program which is to be 373executed by 374.Nm 375when a request is found on its socket. 376If 377.Nm 378provides this service internally, this entry should 379be 380.Dq internal . 381.Pp 382The 383.Em server program arguments 384should be just as arguments 385normally are, starting with argv[0], which is the name of 386the program. 387If the service is provided internally, the 388word 389.Dq internal 390should take the place of this entry. 391It is possible to quote an argument using either single or double quotes. 392This allows you to have, e.g., spaces in paths and parameters. 393.Ss Internal Services 394.Nm 395provides several 396.Qq trivial 397services internally by use of routines within itself. 398These services are 399.Qq echo , 400.Qq discard , 401.Qq chargen 402(character generator), 403.Qq daytime 404(human readable time), and 405.Qq time 406(machine readable time, 407in the form of the number of seconds since midnight, January 1, 1900 GMT). 408For details of these services, consult the appropriate 409.Tn RFC . 410.Pp 411TCP services without official port numbers can be handled with the 412RFC1078-based tcpmux internal service. 413TCPmux listens on port 1 for requests. 414When a connection is made from a foreign host, the service name 415requested is passed to TCPmux, which performs a lookup in the 416service name table provided by 417.Pa /etc/inetd.conf 418and returns the proper entry for the service. 419TCPmux returns a negative reply if the service doesn't exist, 420otherwise the invoked server is expected to return the positive 421reply if the service type in 422.Pa /etc/inetd.conf 423file has the prefix 424.Qq tcpmux/ . 425If the service type has the 426prefix 427.Qq tcpmux/+ , 428TCPmux will return the positive reply for the 429process; this is for compatibility with older server code, and also 430allows you to invoke programs that use stdin/stdout without putting any 431special server code in them. 432Services that use TCPmux are 433.Qq nowait 434because they do not have a well-known port number and hence cannot listen 435for new requests. 436.Pp 437.Nm 438rereads its configuration file when it receives a hangup signal, 439.Dv SIGHUP . 440Services may be added, deleted or modified when the configuration file 441is reread. 442.Nm 443creates a file 444.Em /var/run/inetd.pid 445that contains its process identifier. 446.Ss libwrap 447Support for 448.Tn TCP 449wrappers is included with 450.Nm 451to provide internal tcpd-like access control functionality. 452An external tcpd program is not needed. 453You do not need to change the 454.Pa /etc/inetd.conf 455server-program entry to enable this capability. 456.Nm 457uses 458.Pa /etc/hosts.allow 459and 460.Pa /etc/hosts.deny 461for access control facility configurations, as described in 462.Xr hosts_access 5 . 463.Pp 464.Em Nota Bene : 465.Tn TCP 466wrappers do not affect/restrict 467.Tn UDP 468or internal services. 469.Ss IPsec 470The implementation includes a tiny hack to support IPsec policy settings for 471each socket. 472A special form of the comment line, starting with 473.Dq Li "#@" , 474is used as a policy specifier. 475The content of the above comment line will be treated as a IPsec policy string, 476as described in 477.Xr ipsec_set_policy 3 . 478Multiple IPsec policy strings may be specified by using a semicolon 479as a separator. 480If conflicting policy strings are found in a single line, 481the last string will take effect. 482A 483.Li "#@" 484line affects all of the following lines in 485.Pa /etc/inetd.conf , 486so you may want to reset the IPsec policy by using a comment line containing 487only 488.Li "#@" 489.Pq with no policy string . 490.Pp 491If an invalid IPsec policy string appears in 492.Pa /etc/inetd.conf , 493.Nm 494logs an error message using 495.Xr syslog 3 496and terminates itself. 497.Ss IPv6 TCP/UDP behavior 498If you wish to run a server for both IPv4 and IPv6 traffic, 499you will need to run two separate processes for the same server program, 500specified as two separate lines in 501.Pa /etc/inetd.conf 502using 503.Dq tcp4 504and 505.Dq tcp6 506respectively. 507Plain 508.Dq tcp 509means TCP on top of the current default IP version, 510which is, at this moment, IPv4. 511.Pp 512Under various combination of IPv4/v6 daemon settings, 513.Nm 514will behave as follows: 515.Bl -bullet -compact 516.It 517If you have only one server on 518.Dq tcp4 , 519IPv4 traffic will be routed to the server. 520IPv6 traffic will not be accepted. 521.It 522If you have two servers on 523.Dq tcp4 524and 525.Dq tcp6 , 526IPv4 traffic will be routed to the server on 527.Dq tcp4 , 528and IPv6 traffic will go to server on 529.Dq tcp6 . 530.It 531If you have only one server on 532.Dq tcp6 , 533only IPv6 traffic will be routed to the server. 534The kernel may route to the server IPv4 traffic as well, 535under certain configuration. 536See 537.Xr ip6 4 538for details. 539.El 540.Sh FILES 541.Bl -tag -width /etc/hosts.allow -compact 542.It Pa /etc/inetd.conf 543configuration file for all 544.Nm 545provided services 546.It Pa /etc/services 547service name to protocol and port number mappings. 548.It Pa /etc/protocols 549protocol name to protocol number mappings 550.It Pa /etc/rpc 551.Tn Sun-RPC 552service name to service number mappings. 553.It Pa /etc/hosts.allow 554explicit remote host access list. 555.It Pa /etc/hosts.deny 556explicit remote host denial of service list. 557.El 558.Sh SEE ALSO 559.Xr hosts_access 5 , 560.Xr hosts_options 5 , 561.Xr protocols 5 , 562.Xr rpc 5 , 563.Xr services 5 , 564.Xr comsat 8 , 565.Xr fingerd 8 , 566.Xr ftpd 8 , 567.Xr rexecd 8 , 568.Xr rlogind 8 , 569.Xr rshd 8 , 570.Xr telnetd 8 , 571.Xr tftpd 8 572.Rs 573.%A J. Postel 574.%R RFC 575.%N 862 576.%D May 1983 577.%T "Echo Protocol" 578.Re 579.Rs 580.%A J. Postel 581.%R RFC 582.%N 863 583.%D May 1983 584.%T "Discard Protocol" 585.Re 586.Rs 587.%A J. Postel 588.%R RFC 589.%N 864 590.%D May 1983 591.%T "Character Generator Protocol" 592.Re 593.Rs 594.%A J. Postel 595.%R RFC 596.%N 867 597.%D May 1983 598.%T "Daytime Protocol" 599.Re 600.Rs 601.%A J. Postel 602.%A K. Harrenstien 603.%R RFC 604.%N 868 605.%D May 1983 606.%T "Time Protocol" 607.Re 608.Rs 609.%A M. Lottor 610.%R RFC 611.%N 1078 612.%D November 1988 613.%T "TCP port service Multiplexer (TCPMUX)" 614.Re 615.Sh HISTORY 616The 617.Nm 618command appeared in 619.Bx 4.3 . 620Support for 621.Em Sun-RPC 622based services is modeled after that 623provided by SunOS 4.1. 624Support for specifying the socket buffer sizes was added in 625.Nx 1.4 . 626In November 1996, libwrap support was added to provide 627internal tcpd-like access control functionality; 628libwrap is based on Wietse Venema's tcp_wrappers. 629IPv6 support and IPsec hack was made by KAME project, in 1999. 630.Sh BUGS 631Host address specifiers, while they make conceptual sense for RPC 632services, do not work entirely correctly. 633This is largely because the portmapper interface does not provide 634a way to register different ports for the same service on different 635local addresses. 636Provided you never have more than one entry for a given RPC service, 637everything should work correctly (Note that default host address 638specifiers do apply to RPC lines with no explicit specifier.) 639.Pp 640.Dq tcpmux 641on IPv6 is not tested enough. 642.Sh SECURITY CONSIDERATIONS 643Enabling the 644.Dq echo , 645.Dq discard , 646and 647.Dq chargen 648built-in trivial services is not recommended because remote 649users may abuse these to cause a denial of network service to 650or from the local host. 651