1.\" $NetBSD: inetd.8,v 1.37 2002/01/19 03:14:33 wiz Exp $ 2.\" 3.\" Copyright (c) 1998 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8.\" NASA Ames Research Center. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 3. All advertising materials mentioning features or use of this software 19.\" must display the following acknowledgement: 20.\" This product includes software developed by the NetBSD 21.\" Foundation, Inc. and its contributors. 22.\" 4. Neither the name of The NetBSD Foundation nor the names of its 23.\" contributors may be used to endorse or promote products derived 24.\" from this software without specific prior written permission. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36.\" POSSIBILITY OF SUCH DAMAGE. 37.\" 38.\" Copyright (c) 1985, 1991 The Regents of the University of California. 39.\" All rights reserved. 40.\" 41.\" Redistribution and use in source and binary forms, with or without 42.\" modification, are permitted provided that the following conditions 43.\" are met: 44.\" 1. Redistributions of source code must retain the above copyright 45.\" notice, this list of conditions and the following disclaimer. 46.\" 2. Redistributions in binary form must reproduce the above copyright 47.\" notice, this list of conditions and the following disclaimer in the 48.\" documentation and/or other materials provided with the distribution. 49.\" 3. All advertising materials mentioning features or use of this software 50.\" must display the following acknowledgement: 51.\" This product includes software developed by the University of 52.\" California, Berkeley and its contributors. 53.\" 4. Neither the name of the University nor the names of its contributors 54.\" may be used to endorse or promote products derived from this software 55.\" without specific prior written permission. 56.\" 57.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 58.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 59.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 60.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 61.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 62.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 63.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 64.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 65.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 66.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 67.\" SUCH DAMAGE. 68.\" 69.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94 70.\" 71.Dd March 10, 2001 72.Dt INETD 8 73.Os 74.Sh NAME 75.Nm inetd , 76.Nm inetd.conf 77.Nd internet 78.Dq super-server 79.Sh SYNOPSIS 80.Nm 81.Op Fl d 82.Op Fl l 83.Op Ar configuration file 84.Sh DESCRIPTION 85.Nm 86should be run at boot time by 87.Pa /etc/rc 88(see 89.Xr rc 8 ) . 90It then listens for connections on certain internet sockets. 91When a connection is found on one of its sockets, it decides what 92service the socket corresponds to, and invokes a program to service 93the request. 94After the program is finished, it continues to listen on the socket 95(except in some cases which will be described below). 96Essentially, 97.Nm 98allows running one daemon to invoke several others, 99reducing load on the system. 100.Pp 101The options available for 102.\" Why doesn't just `.Nm :' work? 103.Nm "" : 104.Bl -tag -width Ds 105.It Fl d 106Turns on debugging. 107.El 108.Pp 109.Bl -tag -width Ds 110.It Fl l 111Turns on libwrap connection logging. 112.El 113.Pp 114Upon execution, 115.Nm 116reads its configuration information from a configuration 117file which, by default, is 118.Pa /etc/inetd.conf . 119The path given for this configuration file must be absolute, unless 120the 121.Fl d 122option is also given on the command line. 123There must be an entry for each field of the configuration 124file, with entries for each field separated by a tab or 125a space. 126Comments are denoted by a ``#'' at the beginning of a line. 127There must be an entry for each field (except for one 128special case, described below). 129The fields of the configuration file are as follows: 130.Pp 131.Bd -unfilled -offset indent -compact 132[addr:]service-name 133socket-type 134protocol[,sndbuf=size][,rcvbuf=size] 135wait/nowait[:max] 136user[:group] 137server-program 138server program arguments 139.Ed 140.Pp 141To specify an 142.Em Sun-RPC 143based service, the entry would contain these fields. 144.Pp 145.Bd -unfilled -offset indent -compact 146service-name/version 147socket-type 148rpc/protocol[,sndbuf=size][,rcvbuf=size] 149wait/nowait[:max] 150user[:group] 151server-program 152server program arguments 153.Ed 154.Pp 155For Internet services, the first field of the line may also have a host 156address specifier prefixed to it, separated from the service name by a colon. 157If this is done, the string before the colon in the first field 158indicates what local address 159.Nm 160should use when listening for that service, or the single character 161.Dq \&* 162to indicate 163.Dv INADDR_ANY , 164meaning 165.Sq all local addresses . 166To avoid repeating an address that occurs frequently, a line with a 167host address specifier and colon, but no further fields, causes the 168host address specifier to be remembered and used for all further lines 169with no explicit host specifier (until another such line or the end of 170the file). 171A line 172.Dl *: 173is implicitly provided at the top of the file; thus, traditional 174configuration files (which have no host address specifiers) will be 175interpreted in the traditional manner, with all services listened for 176on all local addresses. 177.Pp 178The 179.Em service-name 180entry is the name of a valid service in 181the file 182.Pa /etc/services . 183For 184.Dq internal 185services (discussed below), the service 186name 187.Em must 188be the official name of the service (that is, the first entry in 189.Pa /etc/services ) . 190When used to specify a 191.Em Sun-RPC 192based service, this field is a valid RPC service name in 193the file 194.Pa /etc/rpc . 195The part on the right of the 196.Dq / 197is the RPC version number. 198This can simply be a single numeric argument or a range of versions. 199A range is bounded by the low version to the high version \- 200.Dq rusers/1-3 . 201.Pp 202The 203.Em socket-type 204should be one of 205.Dq stream , 206.Dq dgram , 207.Dq raw , 208.Dq rdm , 209or 210.Dq seqpacket , 211depending on whether the socket is a stream, datagram, raw, 212reliably delivered message, or sequenced packet socket. 213.Pp 214The 215.Em protocol 216must be a valid protocol as given in 217.Pa /etc/protocols . 218Examples might be 219.Dq tcp 220and 221.Dq udp . 222Rpc based services are specified with the 223.Dq rpc/tcp 224or 225.Dq rpc/udp 226service type. 227.Dq tcp 228and 229.Dq udp 230will be recognized as 231.Dq TCP or UDP over default IP version . 232It is currently IPv4, but in the future it will be IPv6. 233If you need to specify IPv4 or IPv6 explicitly, use something like 234.Dq tcp4 235or 236.Dq udp6 . 237If you would like to enable special support for 238.Xr faithd 8 , 239prepend a keyword 240.Dq faith 241into 242.Em protocol , 243like 244.Dq faith/tcp6 . 245.Pp 246In addition to the protocol, the configuration file may specify the 247send and receive socket buffer sizes for the listening socket. 248This is especially useful for 249.Tn TCP 250as the window scale factor, which is based on the receive socket 251buffer size, is advertised when the connection handshake occurs, 252thus the socket buffer size for the server must be set on the listen socket. 253By increasing the socket buffer sizes, better 254.Tn TCP 255performance may be realized in some situations. 256The socket buffer sizes are specified by appending their values to 257the protocol specification as follows: 258.Bd -literal -offset indent 259tcp,rcvbuf=16384 260tcp,sndbuf=64k 261tcp,rcvbuf=64k,sndbuf=1m 262.Ed 263.Pp 264A literal value may be specified, or modified using 265.Sq k 266to indicate kilobytes or 267.Sq m 268to indicate megabytes. 269Socket buffer sizes may be specified for all 270services and protocols except for tcpmux services. 271.Pp 272The 273.Em wait/nowait 274entry is used to tell 275.Nm 276if it should wait for the server program to return, 277or continue processing connections on the socket. 278If a datagram server connects 279to its peer, freeing the socket so 280.Nm 281can receive further messages on the socket, it is said to be 282a 283.Dq multi-threaded 284server, and should use the 285.Dq nowait 286entry. 287For datagram servers which process all incoming datagrams 288on a socket and eventually time out, the server is said to be 289.Dq single-threaded 290and should use a 291.Dq wait 292entry. 293.Xr comsat 8 294.Pq Xr biff 1 295and 296.Xr talkd 8 297are both examples of the latter type of 298datagram server. 299.Xr tftpd 8 300is an exception; it is a datagram server that establishes pseudo-connections. 301It must be listed as 302.Dq wait 303in order to avoid a race; 304the server reads the first packet, creates a new socket, 305and then forks and exits to allow 306.Nm 307to check for new service requests to spawn new servers. 308The optional 309.Dq max 310suffix (separated from 311.Dq wait 312or 313.Dq nowait 314by a dot or a colon) specifies the maximum number of server instances that may 315be spawned from 316.Nm 317within an interval of 60 seconds. 318When omitted, 319.Dq max 320defaults to 40. 321.Pp 322Stream servers are usually marked as 323.Dq nowait 324but if a single server process is to handle multiple connections, it may be 325marked as 326.Dq wait . 327The master socket will then be passed as fd 0 to the server, which will then 328need to accept the incoming connection. 329The server should eventually time 330out and exit when no more connections are active. 331.Nm 332will continue to 333listen on the master socket for connections, so the server should not close 334it when it exits. 335.Xr identd 8 336is usually the only stream server marked as wait. 337.Pp 338The 339.Em user 340entry should contain the user name of the user as whom the server should run. 341This allows for servers to be given less permission than root. 342Optionally, a group can be specified by appending a colon to the user name, 343followed by the group name (it is possible to use a dot (``.'') in lieu of a 344colon, however this feature is provided only for backward compatibility). 345This allows for servers to run with a different (primary) group id than 346specified in the password file. 347If a group is specified and 348.Em user 349is not root, the supplementary groups associated with that user will still be 350set. 351.Pp 352The 353.Em server-program 354entry should contain the pathname of the program which is to be 355executed by 356.Nm 357when a request is found on its socket. 358If 359.Nm 360provides this service internally, this entry should 361be 362.Dq internal . 363.Pp 364The 365.Em server program arguments 366should be just as arguments 367normally are, starting with argv[0], which is the name of 368the program. 369If the service is provided internally, the 370word 371.Dq internal 372should take the place of this entry. 373.Ss Internal Services 374.Nm 375provides several 376.Qq trivial 377services internally by use of routines within itself. 378These services are 379.Qq echo , 380.Qq discard , 381.Qq chargen 382(character generator), 383.Qq daytime 384(human readable time), and 385.Qq time 386(machine readable time, 387in the form of the number of seconds since midnight, January 1, 1900 GMT). 388For details of these services, consult the appropriate 389.Tn RFC . 390.Pp 391TCP services without official port numbers can be handled with the 392RFC1078-based tcpmux internal service. 393TCPmux listens on port 1 for requests. 394When a connection is made from a foreign host, the service name 395requested is passed to TCPmux, which performs a lookup in the 396service name table provided by 397.Pa /etc/inetd.conf 398and returns the proper entry for the service. 399TCPmux returns a negative reply if the service doesn't exist, 400otherwise the invoked server is expected to return the positive 401reply if the service type in 402.Pa /etc/inetd.conf 403file has the prefix 404.Qq tcpmux/ . 405If the service type has the 406prefix 407.Qq tcpmux/+ , 408TCPmux will return the positive reply for the 409process; this is for compatibility with older server code, and also 410allows you to invoke programs that use stdin/stdout without putting any 411special server code in them. 412Services that use TCPmux are 413.Qq nowait 414because they do not have a well-known port nubmer and hence cannot listen 415for new requests. 416.Pp 417.Nm 418rereads its configuration file when it receives a hangup signal, 419.Dv SIGHUP . 420Services may be added, deleted or modified when the configuration file 421is reread. 422.Nm 423creates a file 424.Em /var/run/inetd.pid 425that contains its process identifier. 426.Ss libwrap 427Support for 428.Tn TCP 429wrappers is included with 430.Nm 431to provide internal tcpd-like access control functionality. 432An external tcpd program is not needed. 433You do not need to change the 434.Pa /etc/inetd.conf 435server-program entry to enable this capability. 436.Nm 437uses 438.Pa /etc/hosts.allow 439and 440.Pa /etc/hosts.deny 441for access control facility configurations, as described in 442.Xr hosts_access 5 . 443.Ss IPsec 444The implementation includes a tiny hack to support IPsec policy settings for 445each socket. 446A special form of the comment line, starting with 447.Dq Li "#@" , 448is used as a policy specifier. 449The content of the above comment line will be treated as a IPsec policy string, 450as described in 451.Xr ipsec_set_policy 3 . 452Multiple IPsec policy strings may be specified by using a semicolon 453as a separator. 454If conflicting policy strings are found in a single line, 455the last string will take effect. 456A 457.Li "#@" 458line affects all of the following lines in 459.Pa /etc/inetd.conf , 460so you may want to reset the IPsec policy by using a comment line containing 461only 462.Li "#@" 463.Pq with no policy string . 464.Pp 465If an invalid IPsec policy string appears in 466.Pa /etc/inetd.conf , 467.Nm 468logs an error message using 469.Xr syslog 3 470and terminates itself. 471.Ss IPv6 TCP/UDP behavior 472If you wish to run a server for IPv4 and IPv6 traffic, 473you'll need to run two separate process for the same server program, 474specified as two separate lines on 475.Pa /etc/inetd.conf , 476for 477.Dq tcp4 478and 479.Dq tcp6 . 480.Dq tcp 481means TCP on top of currently-default IP version, 482which is, at this moment, IPv4. 483.Pp 484Under various combination of IPv4/v6 daemon settings, 485.Nm 486will behave as follows: 487.Bl -bullet -compact 488.It 489If you have only one server on 490.Dq tcp4 , 491IPv4 traffic will be routed to the server. 492IPv6 traffic will not be accepted. 493.It 494If you have two servers on 495.Dq tcp4 496and 497.Dq tcp6 , 498IPv4 traffic will be routed to the server on 499.Dq tcp4 , 500and IPv6 traffic will go to server on 501.Dq tcp6 . 502.It 503If you have only one server on 504.Dq tcp6 , 505only IPv6 traffic will be routed to the server. 506The kernel may route to the server IPv4 traffic as well, 507under certain configuration. 508See 509.Xr ip6 4 510for details. 511.El 512.Sh FILES 513.Bl -tag -width /etc/hosts.allow -compact 514.It Pa /etc/inetd.conf 515configuration file for all 516.Nm 517provided services 518.It Pa /etc/services 519service name to protocol and port number mappings. 520.It Pa /etc/protocols 521protocol name to protocol number mappings 522.It Pa /etc/rpc 523.Tn Sun-RPC 524service name to service number mappings. 525.It Pa /etc/hosts.allow 526explicit remote host access list. 527.It Pa /etc/hosts.deny 528explicit remote host denial of service list. 529.El 530.Sh SEE ALSO 531.Xr hosts_access 5 , 532.Xr hosts_options 5 , 533.Xr protocols 5 , 534.Xr rpc 5 , 535.Xr services 5 , 536.Xr comsat 8 , 537.Xr fingerd 8 , 538.Xr ftpd 8 , 539.Xr rexecd 8 , 540.Xr rlogind 8 , 541.Xr rshd 8 , 542.Xr telnetd 8 , 543.Xr tftpd 8 544.Rs 545.%A J. Postel 546.%R RFC 547.%N 862 548.%D May 1983 549.%T "Echo Protocol" 550.Re 551.Rs 552.%A J. Postel 553.%R RFC 554.%N 863 555.%D May 1983 556.%T "Discard Protocol" 557.Re 558.Rs 559.%A J. Postel 560.%R RFC 561.%N 864 562.%D May 1983 563.%T "Character Generator Protocol" 564.Re 565.Rs 566.%A J. Postel 567.%R RFC 568.%N 867 569.%D May 1983 570.%T "Daytime Protocol" 571.Re 572.Rs 573.%A J. Postel 574.%A K. Harrenstien 575.%R RFC 576.%N 868 577.%D May 1983 578.%T "Time Protocol" 579.Re 580.Rs 581.%A M. Lottor 582.%R RFC 583.%N 1078 584.%D November 1988 585.%T "TCP port service Multiplexer (TCPMUX)" 586.Re 587.Sh HISTORY 588The 589.Nm 590command appeared in 591.Bx 4.3 . 592Support for 593.Em Sun-RPC 594based services is modeled after that 595provided by SunOS 4.1. 596Support for specifying the socket buffer sizes was added in 597.Nx 1.4 . 598In November 1996, libwrap support was added to provide 599internal tcpd-like access control functionality; 600libwrap is based on Wietse Venema's tcp_wrappers. 601IPv6 support and IPsec hack was made by KAME project, in 1999. 602.Sh BUGS 603Host address specifiers, while they make conceptual sense for RPC 604services, do not work entirely correctly. 605This is largely because the portmapper interface does not provide 606a way to register different ports for the same service on different 607local addresses. 608Provided you never have more than one entry for a given RPC service, 609everything should work correctly (Note that default host address 610specifiers do apply to RPC lines with no explicit specifier.) 611.Pp 612.Dq tcpmux 613on IPv6 is not tested enough. 614.Sh SECURITY CONSIDERATIONS 615Enabling the 616.Dq echo , 617.Dq discard , 618and 619.Dq chargen 620built-in trivial services is not recommended because remote 621users may abuse these to cause a denial of network service to 622or from the local host. 623