1 .\" Copyright (c) 1985, 1991, 1993, 1994
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. All advertising materials mentioning features or use of this software
13 .\" must display the following acknowledgement:
14 .\" This product includes software developed by the University of
15 .\" California, Berkeley and its contributors.
16 .\" 4. Neither the name of the University nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94
50 .Op Fl a Ar address|hostname
53 .Op Ar configuration file
58 should be run at boot time by
62 It then listens for connections on certain
63 internet sockets. When a connection is found on one
64 of its sockets, it decides what service the socket
65 corresponds to, and invokes a program to service the request.
66 The server program is invoked with the service socket
67 as its standard input, output and error descriptors.
71 continues to listen on the socket (except in some cases which
72 will be described below). Essentially,
74 allows running one daemon to invoke several others,
75 reducing load on the system.
77 The following options are available:
78 .Bl -tag -width indent
82 Turn on logging of successful connections.
84 Turn on TCP Wrapping for external services.
86 .Sx "IMPLEMENTATION NOTES"
87 section for more information on TCP Wrappers support.
89 Turn on TCP Wrapping for internal services which are built in to
92 Specify the default maximum number of services that can be invoked.
93 May be overridden on a per-service basis with the "max-child"
96 Specify the default maximum number of times a service can be invoked
97 from a single IP address in one minute; the default is unlimited.
98 May be overridden on a per-service basis with the
99 "max-connections-per-ip-per-minute" parameter.
101 Specify the maximum number of times a service can be invoked
102 in one minute; the default is 256.
104 Specify a specific IP address to bind to.
105 Alternatively, a hostname can be specified,
106 in which case the IPv4 or IPv6 address
107 which corresponds to that hostname is used.
108 Usually a hostname is specified when
112 in which case the hostname corresponds to the
116 When hostname specification is used
117 and both IPv4 and IPv6 bindings are desired,
118 one entry with the appropriate
120 type for each binding
121 is required for each service in
122 .Pa /etc/inetd.conf .
124 a TCP-based service would need two entries,
131 See the explanation of the
136 Specify an alternate file in which to store the process ID.
141 reads its configuration information from a configuration
142 file which, by default, is
143 .Pa /etc/inetd.conf .
144 There must be an entry for each field of the configuration
145 file, with entries for each field separated by a tab or
146 a space. Comments are denoted by a
149 of a line. There must be an entry for each field. The
150 fields of the configuration file are as follows:
152 .Bd -unfilled -offset indent -compact
156 {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
157 user[:group][/login-class]
159 server program arguments
163 .No Tn "ONC RPC" Ns -based
164 service, the entry would contain these fields:
166 .Bd -unfilled -offset indent -compact
170 user[:group][/login-class]
172 server program arguments
175 There are two types of services that
177 can start: standard and TCPMUX.
178 A standard service has a well-known port assigned to it;
179 it may be a service that implements an official Internet standard or is a
180 BSD-specific service.
183 TCPMUX services are nonstandard services that do not have a
184 well-known port assigned to them.
185 They are invoked from
187 when a program connects to the
189 well-known port and specifies
191 This feature is useful for adding locally-developed servers.
192 TCPMUX requests are only accepted when the multiplexor service itself
193 is enabled, above and beyond and specific TCPMUX-based servers; see the
194 discussion of internal services below.
198 entry is the name of a valid service in
203 services (discussed below), the service
206 be the official name of the service (that is, the first entry in
207 .Pa /etc/services ) .
208 When used to specify an
209 .No Tn "ONC RPC" Ns -based
210 service, this field is a valid RPC service name in
213 The part on the right of the
215 is the RPC version number.
217 can simply be a single numeric argument or a range of versions.
218 A range is bounded by the low version to the high version -
220 For TCPMUX services, the value of the
222 field consists of the string
224 followed by a slash and the
225 locally-chosen service name.
226 The service names listed in
231 Try to choose unique names for your TCPMUX services by prefixing them with
232 your organization's name and suffixing them with a version number.
243 depending on whether the socket is a stream, datagram, raw,
244 reliably delivered message, or sequenced packet socket.
245 TCPMUX services must use
250 must be a valid protocol as given in
256 both of which imply IPv4 for backward compatibility.
271 specify that the entry accepts both IPv6 and IPv6 connections
275 If it is desired that the service is reachable via T/TCP, one should
278 which implies IPv4 for backward compatibility.
281 specifies IPv4 only, while
286 specify that the entry accepts both IPv6 and IPv6 connections
291 (for which only IPv4 is supported at this time)
292 are specified with the
297 TCPMUX services must use
306 entry specifies whether the server that is invoked by
309 the socket associated with the service access point, and thus whether
311 should wait for the server to exit before listening for new service
313 Datagram servers must use
315 as they are always invoked with the original datagram socket bound
316 to the specified service address.
317 These servers must read at least one datagram from the socket
319 If a datagram server connects
320 to its peer, freeing the socket so
322 can receive further messages on the socket, it is said to be
326 it should read one datagram from the socket and create a new socket
327 connected to the peer.
328 It should fork, and the parent should then exit
331 to check for new service requests to spawn new servers.
332 Datagram servers which process all incoming datagrams
333 on a socket and eventually time out are said to be
334 .Dq single-threaded .
339 are both examples of the latter type of
342 is an example of a multi-threaded datagram server.
344 Servers using stream sockets generally are multi-threaded and
348 Connection requests for these services are accepted by
350 and the server is given only the newly-accepted socket connected
351 to a client of the service.
352 Most stream-based services operate in this manner.
353 Stream-based servers that use
355 are started with the listening service socket, and must accept
356 at least one connection request before exiting.
357 Such a server would normally accept and process incoming connection
358 requests until a timeout.
359 TCPMUX services must use
362 The maximum number of outstanding child processes (or
366 service may be explicitly specified by appending a
368 followed by the number to the
372 (or if a value of zero is specified) there is no maximum.
374 once the maximum is reached, further connection attempts will be
375 queued up until an existing child process exits.
379 mode, although a value other than one (the
380 default) might not make sense in some cases.
381 You can also specify the maximum number of connections per minute
382 for a given IP address by appending
385 followed by the number to the maximum number of
386 outstanding child processes.
387 Once the maximum is reached, further
388 connections from this IP address will be dropped until the end of the
393 entry should contain the user name of the user as whom the server
394 should run. This allows for servers to be given less permission
400 allows to specify group name different
401 than default group for this user.
406 allows to specify login class different
413 entry should contain the pathname of the program which is to be
416 when a request is found on its socket. If
418 provides this service internally, this entry should
423 .Em server program arguments
424 should be just as arguments
425 normally are, starting with argv[0], which is the name of
426 the program. If the service is provided internally, the
428 of the service (and any arguments to it) or the word
430 should take the place of this entry.
432 Currently, the only internal service to take arguments is
434 Without options, the service will always return
435 .Dq ERROR\ : HIDDEN-USER .
436 The available arguments to this service that alter its behavior are:
437 .Bl -tag -width indent
439 If the real ident service is enabled, return this user for every
441 If the real ident service is disabled, then this flag, instead of
442 returning an error if getting the socket credentials or
443 looking up the user name fails, return a default
445 user name to the requesting ident client.
446 This is primarily useful when running this service on a NAT machine.
447 .It Fl t Ar sec[.usec]
448 Specify a timeout for the service.
449 The default timeout is 10.0 seconds.
453 service, as per RFC 1413.
454 All the remaining flags apply only in this case.
458 exists in the home directory of the identified user, report the username
459 found in that file instead of the real username.
461 Instead of returning the user's name to the ident requester, report a
462 username made up of random alphanumeric characters, e.g.
466 flag overrides not only the user names, but also any
474 exists in the home directory of the identified user, return
475 .Dq ERROR\ : HIDDEN-USER .
480 instead of the name of the system as reported by
487 also provides several other
489 services internally by use of
490 routines within itself. These services are
494 (character generator),
496 (human readable time), and
498 (machine readable time, in the form of the number of seconds since
499 midnight, January 1, 1900). All of these services are available in
500 both TCP and UDP versions; the UDP versions will refuse service if the
501 request specifies a reply port corresponding to any internal service.
502 (This is done as a defense against looping attacks; the remote IP address
504 For details of these services, consult the
509 The TCPMUX-demultiplexing service is also implemented as an internal service.
510 For any TCPMUX-based service to function, the following line must be included
513 .Bd -literal -offset indent
514 tcpmux stream tcp nowait root internal
521 will log an entry to syslog each time a connection is accepted, noting the
522 service selected and the IP-number of the remote requestor if available.
523 Unless otherwise specified in the configuration file,
524 and in the absence of the
537 rereads its configuration file when it receives a hangup signal,
539 Services may be added, deleted or modified when the configuration file
541 Except when started in debugging mode,
543 records its process ID in the file
544 .Pa /var/run/inetd.pid
545 to assist in reconfiguration.
546 .Sh IMPLEMENTATION NOTES
551 will wrap all services specified as
560 option is given, such
562 services will be wrapped.
563 If both options are given, wrapping for both
564 internal and external services will be enabled.
565 Either wrapping option
566 will cause failed connections to be logged to the
571 flag to the wrapping options will include successful connections in the
578 only wraps requests for a
580 service while no servers are available to service requests.
582 connection to such a service has been allowed, inetd has no control
583 over subsequent connections to the service until no more servers
584 are left listening for connection requests.
586 When wrapping is enabled, the
588 daemon is not required, as that functionality is builtin.
589 For more information on TCP Wrappers; see the relevant documentation (
592 When reading that document, keep in mind that
594 services have no associated daemon name.
595 Therefore, the service name
598 should be used as the daemon name for
603 describes the TCPMUX protocol:
604 ``A TCP client connects to a foreign host on TCP port 1. It sends the
605 service name followed by a carriage-return line-feed <CRLF>. The
606 service name is never case sensitive. The server replies with a
607 single character indicating positive (+) or negative (\-)
608 acknowledgment, immediately followed by an optional message of
609 explanation, terminated with a <CRLF>. If the reply was positive,
610 the selected protocol begins; otherwise the connection is closed.''
611 The program is passed the TCP connection as file descriptors 0 and 1.
613 If the TCPMUX service name begins with a
616 returns the positive reply for the program.
617 This allows you to invoke programs that use stdin/stdout
618 without putting any special server code in them.
620 The special service name
624 to list TCPMUX services in
627 The implementation includes a tiny hack
628 to support IPsec policy settings for each socket.
629 A special form of comment line, starting with
631 is interpreted as a policy specifier.
634 will be used as an IPsec policy string,
636 .Xr ipsec_set_policy 3 .
638 policy specifier is applied to all the following lines in
640 until the next policy specifier.
641 An empty policy specifer resets the IPsec policy.
643 If an invalid IPsec policy specifier appears in
646 will provide an error message via the
648 interface and abort execution.
650 .Bl -tag -width /var/run/inetd.pid -compact
651 .It Pa /etc/inetd.conf
654 translation of service names to RPC program numbers
656 translation of service names to port numbers
657 .It Pa /var/run/inetd.pid
658 the pid of the currently running
663 Here are several example service entries for the various types of services:
665 ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
666 ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
667 telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
668 shell stream tcp46 nowait root /usr/libexec/rshd rshd
669 tcpmux/+date stream tcp nowait guest /bin/date date
670 tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook
671 rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
673 chargen stream tcp nowait root internal
680 logs error messages using
682 Important error messages and their explanations are:
686 .Ar service Ns / Ns Ar protocol
687 .No " server failing (looping), service terminated."
689 The number of requests for the specified service in the past minute
691 The limit exists to prevent a broken program
692 or a malicious user from swamping the system.
693 This message may occur for several reasons:
694 .Bl -enum -offset indent
696 There are many hosts requesting the service within a short time period.
698 A broken client program is requesting the service too frequently.
700 A malicious user is running a program to invoke the service in
701 a denial-of-service attack.
703 The invoked service program has an error that causes clients
710 as described above, to change the rate limit.
711 Once the limit is reached, the service will be
712 reenabled automatically in 10 minutes.
715 .Ar service Ns / Ns Ar protocol :
721 .Ar service Ns / Ns Ar protocol :
734 (re)reads the configuration file.
735 The second message occurs when the
748 The user or group ID for the entry's
752 .It "setsockopt(SO_PRIVSTATE): Operation not supported"
755 program attempted to renounce the privileged state associated with a
756 socket but was unable to.
760 .Xr hosts_options 5 ,
761 .Xr ipsec_set_policy 3 ,
776 .%A Michael C. St. Johns
777 .%T Identification Protocol
785 TCPMUX is based on code and documentation by Mark Lottor.
788 based services is modeled after that
792 The IPsec hack was contributed by the KAME project in 1999.
795 TCP Wrappers support first appeared in