1 .\" Copyright (c) 1985, 1991, 1993, 1994
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 4. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94
46 .Op Fl a Ar address | hostname
50 .Op Ar configuration file
54 utility should be run at boot time by
58 It then listens for connections on certain
60 When a connection is found on one
61 of its sockets, it decides what service the socket
62 corresponds to, and invokes a program to service the request.
63 The server program is invoked with the service socket
64 as its standard input, output and error descriptors.
68 continues to listen on the socket (except in some cases which
69 will be described below).
72 allows running one daemon to invoke several others,
73 reducing load on the system.
75 The following options are available:
76 .Bl -tag -width indent
80 Turn on logging of successful connections.
82 Turn on TCP Wrapping for external services.
84 .Sx "IMPLEMENTATION NOTES"
85 section for more information on TCP Wrappers support.
87 Turn on TCP Wrapping for internal services which are built in to
90 Specify the default maximum number of
91 simultaneous invocations of each service;
92 the default is unlimited.
93 May be overridden on a per-service basis with the "max-child"
96 Specify the default maximum number of times a service can be invoked
97 from a single IP address in one minute; the default is unlimited.
98 May be overridden on a per-service basis with the
99 "max-connections-per-ip-per-minute" parameter.
101 Specify the maximum number of times a service can be invoked
102 in one minute; the default is 256.
103 A rate of 0 allows an unlimited number of invocations.
105 Specify the default maximum number of
106 simultaneous invocations of each service from a single IP address;
107 the default is unlimited.
108 May be overridden on a per-service basis with the "max-child-per-ip"
111 Specify one specific IP address to bind to.
112 Alternatively, a hostname can be specified,
113 in which case the IPv4 or IPv6 address
114 which corresponds to that hostname is used.
115 Usually a hostname is specified when
119 in which case the hostname corresponds to that of the
123 When the hostname specification is used
124 and both IPv4 and IPv6 bindings are desired,
125 one entry with the appropriate
127 type for each binding
128 is required for each service in
129 .Pa /etc/inetd.conf .
131 a TCP-based service would need two entries,
138 See the explanation of the
143 Specify an alternate file in which to store the process ID.
148 reads its configuration information from a configuration
149 file which, by default, is
150 .Pa /etc/inetd.conf .
151 There must be an entry for each field of the configuration
152 file, with entries for each field separated by a tab or
154 Comments are denoted by a
158 There must be an entry for each field.
160 fields of the configuration file are as follows:
162 .Bd -unfilled -offset indent -compact
166 {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
167 user[:group][/login-class]
169 server-program-arguments
173 .Tn "ONC RPC" Ns -based
174 service, the entry would contain these fields:
176 .Bd -unfilled -offset indent -compact
180 user[:group][/login-class]
182 server-program-arguments
185 There are two types of services that
187 can start: standard and TCPMUX.
188 A standard service has a well-known port assigned to it;
189 it may be a service that implements an official Internet standard or is a
194 TCPMUX services are nonstandard services that do not have a
195 well-known port assigned to them.
196 They are invoked from
198 when a program connects to the
200 well-known port and specifies
202 This feature is useful for adding locally-developed servers.
203 TCPMUX requests are only accepted when the multiplexor service itself
204 is enabled, above and beyond and specific TCPMUX-based servers; see the
205 discussion of internal services below.
209 entry is the name of a valid service in
212 or the specification of a
214 domain socket (see below).
217 services (discussed below), the service
220 be the official name of the service (that is, the first entry in
221 .Pa /etc/services ) .
222 When used to specify an
223 .Tn "ONC RPC" Ns -based
224 service, this field is a valid RPC service name listed in
227 The part on the right of the
229 is the RPC version number.
231 can simply be a single numeric argument or a range of versions.
232 A range is bounded by the low version to the high version -
234 For TCPMUX services, the value of the
236 field consists of the string
238 followed by a slash and the
239 locally-chosen service name.
240 The service names listed in
245 Try to choose unique names for your TCPMUX services by prefixing them with
246 your organization's name and suffixing them with a version number.
257 depending on whether the socket is a stream, datagram, raw,
258 reliably delivered message, or sequenced packet socket.
259 TCPMUX services must use
264 must be a valid protocol or
270 both of which imply IPv4 for backward compatibility.
285 specify that the entry accepts both IPv4 and IPv6 connections
289 If it is desired that the service is reachable via T/TCP, one should
292 which implies IPv4 for backward compatibility.
295 specifies IPv4 only, while
300 specifies that the entry accepts both IPv6 and IPv6 connections
305 are specified with the
310 One can use specify IPv4 and/or IPv6 with the 4, 6 or 46 suffix, for example
314 TCPMUX services must use
323 entry specifies whether the server that is invoked by
326 the socket associated with the service access point, and thus whether
328 should wait for the server to exit before listening for new service
330 Datagram servers must use
332 as they are always invoked with the original datagram socket bound
333 to the specified service address.
334 These servers must read at least one datagram from the socket
336 If a datagram server connects
337 to its peer, freeing the socket so
339 can receive further messages on the socket, it is said to be
343 it should read one datagram from the socket and create a new socket
344 connected to the peer.
345 It should fork, and the parent should then exit
348 to check for new service requests to spawn new servers.
349 Datagram servers which process all incoming datagrams
350 on a socket and eventually time out are said to be
351 .Dq single-threaded .
356 utilities are examples of the latter type of
360 utility is an example of a multi-threaded datagram server.
362 Servers using stream sockets generally are multi-threaded and
366 Connection requests for these services are accepted by
368 and the server is given only the newly-accepted socket connected
369 to a client of the service.
370 Most stream-based services operate in this manner.
371 Stream-based servers that use
373 are started with the listening service socket, and must accept
374 at least one connection request before exiting.
375 Such a server would normally accept and process incoming connection
376 requests until a timeout.
377 TCPMUX services must use
380 The maximum number of outstanding child processes (or
384 service may be explicitly specified by appending a
386 followed by the number to the
390 (or if a value of zero is specified) there is no maximum.
392 once the maximum is reached, further connection attempts will be
393 queued up until an existing child process exits.
397 mode, although a value other than one (the
398 default) might not make sense in some cases.
399 You can also specify the maximum number of connections per minute
400 for a given IP address by appending
403 followed by the number to the maximum number of
404 outstanding child processes.
405 Once the maximum is reached, further
406 connections from this IP address will be dropped until the end of the
408 In addition, you can specify the maximum number of simultaneous
409 invocations of each service from a single IP address by appending a
411 followed by the number to the maximum number of outstanding child
413 Once the maximum is reached, further connections from this
414 IP address will be dropped.
418 entry should contain the user name of the user as whom the server
420 This allows for servers to be given less permission
426 allows a group name other
427 than the default group for this user to be specified.
432 allows specification of a login class other
439 entry should contain the pathname of the program which is to be
442 when a request is found on its socket.
445 provides this service internally, this entry should
450 .Em server-program-arguments
451 entry lists the arguments to be passed to the
453 starting with argv[0], which usually is the name of
455 If the service is provided internally, the
457 of the service (and any arguments to it) or the word
459 should take the place of this entry.
461 Currently, the only internal service to take arguments is
463 Without options, the service will always return
464 .Dq ERROR\ : HIDDEN-USER .
465 The available arguments to this service that alter its behavior are:
466 .Bl -tag -width indent
476 option discussed below),
477 return this username instead of an error
479 for either socket credentials or the username.
483 return this username for every request.
484 This is primarily useful when running this service on a NAT machine.
487 the user's name to the ident requester,
489 username made up of random alphanumeric characters,
494 flag overrides not only the user names,
495 but also any fallback name,
501 .Ar sec Ns Op . Ns Ar usec
503 Specify a timeout for the service.
504 The default timeout is 10.0 seconds.
508 service, as per RFC 1413.
509 All the remaining flags apply only in this case.
511 Return numeric user IDs instead of usernames.
515 exists in the home directory of the identified user, report the username
516 found in that file instead of the real username.
517 If the username found in
519 is that of an existing user,
520 then the real username is reported.
523 flag is also given then the username in
525 is checked against existing user IDs instead.
529 but without the restriction that the username in
531 must not match an existing user.
535 exists in the home directory of the identified user, return
536 .Dq ERROR\ : HIDDEN-USER .
539 file which might exist.
543 instead of the name of the system as reported by
549 utility also provides several other
551 services internally by use of
552 routines within itself.
557 (character generator),
559 (human readable time), and
561 (machine readable time, in the form of the number of seconds since
562 midnight, January 1, 1900).
563 All of these services are available in
564 both TCP and UDP versions; the UDP versions will refuse service if the
565 request specifies a reply port corresponding to any internal service.
566 (This is done as a defense against looping attacks; the remote IP address
568 For details of these services, consult the
573 The TCPMUX-demultiplexing service is also implemented as an internal service.
574 For any TCPMUX-based service to function, the following line must be included
577 .Bd -literal -offset indent
578 tcpmux stream tcp nowait root internal
585 will log an entry to syslog each time a connection is accepted, noting the
586 service selected and the IP-number of the remote requester if available.
587 Unless otherwise specified in the configuration file,
588 and in the absence of the
600 utility rereads its configuration file when it receives a hangup signal,
602 Services may be added, deleted or modified when the configuration file
604 Except when started in debugging mode,
605 or configured otherwise with the
609 records its process ID in the file
610 .Pa /var/run/inetd.pid
611 to assist in reconfiguration.
612 .Sh IMPLEMENTATION NOTES
618 will wrap all services specified as
627 option is given, such
629 services will be wrapped.
630 If both options are given, wrapping for both
631 internal and external services will be enabled.
632 Either wrapping option
633 will cause failed connections to be logged to the
638 flag to the wrapping options will include successful connections in the
645 only wraps requests for a
647 service while no servers are available to service requests.
649 connection to such a service has been allowed,
652 over subsequent connections to the service until no more servers
653 are left listening for connection requests.
655 When wrapping is enabled, the
657 daemon is not required, as that functionality is builtin.
658 For more information on TCP Wrappers, see the relevant documentation
659 .Pq Xr hosts_access 5 .
660 When reading that document, keep in mind that
662 services have no associated daemon name.
663 Therefore, the service name
666 should be used as the daemon name for
671 describes the TCPMUX protocol:
672 ``A TCP client connects to a foreign host on TCP port 1.
674 service name followed by a carriage-return line-feed <CRLF>.
676 service name is never case sensitive.
677 The server replies with a
678 single character indicating positive (+) or negative (\-)
679 acknowledgment, immediately followed by an optional message of
680 explanation, terminated with a <CRLF>.
681 If the reply was positive,
682 the selected protocol begins; otherwise the connection is closed.''
683 The program is passed the TCP connection as file descriptors 0 and 1.
685 If the TCPMUX service name begins with a
688 returns the positive reply for the program.
689 This allows you to invoke programs that use stdin/stdout
690 without putting any special server code in them.
692 The special service name
696 to list the TCPMUX services which are enabled in
699 The implementation includes a tiny hack
700 to support IPsec policy settings for each socket.
701 A special form of comment line, starting with
703 is interpreted as a policy specifier.
706 will be used as an IPsec policy string,
708 .Xr ipsec_set_policy 3 .
710 policy specifier is applied to all the following lines in
712 until the next policy specifier.
713 An empty policy specifier resets the IPsec policy.
715 If an invalid IPsec policy specifier appears in
718 will provide an error message via the
720 interface and abort execution.
721 .Ss Ux Domain Sockets
722 In addition to running services on IP sockets,
727 To do this you specify a
741 The specification of the socket must be
742 an absolute path name,
743 optionally prefixed by an owner and mode
745 .Em :user:group:mode: .
748 .Dl ":news:daemon:220:/var/run/sock"
750 creates a socket owned
755 with permissions allowing only that user and group to connect.
756 The default owner is the user that
759 The default mode only allows the socket's owner to connect.
766 must change the ownership and permissions on the socket.
767 This can only be done securely if
768 the directory in which the socket is created
769 is writable only by root.
774 to create sockets in world writable directories
779 or a similar directory instead.
781 Internal services may be run on
783 domain sockets, in the usual way.
785 the name of the internal service
787 the last component of the socket's pathname.
788 For example, specifying a socket named
792 service when a connection is received on that socket.
794 .Bl -tag -width /var/run/inetd.pid -compact
795 .It Pa /etc/inetd.conf
797 .It Pa /etc/netconfig
798 network configuration data base
800 translation of service names to RPC program numbers
802 translation of service names to port numbers
803 .It Pa /var/run/inetd.pid
804 the pid of the currently running
808 Here are several example service entries for the various types of services:
810 ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
811 ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
812 telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
813 shell stream tcp46 nowait root /usr/libexec/rshd rshd
814 tcpmux/+date stream tcp nowait guest /bin/date date
815 tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook
816 rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
817 /var/run/echo stream unix nowait root internal
819 chargen stream tcp nowait root internal
826 logs error messages using
828 Important error messages and their explanations are:
832 .Ar service Ns / Ns Ar protocol
833 .No "server failing (looping), service terminated."
835 The number of requests for the specified service in the past minute
837 The limit exists to prevent a broken program
838 or a malicious user from swamping the system.
839 This message may occur for several reasons:
840 .Bl -enum -offset indent
842 There are many hosts requesting the service within a short time period.
844 A broken client program is requesting the service too frequently.
846 A malicious user is running a program to invoke the service in
847 a denial-of-service attack.
849 The invoked service program has an error that causes clients
856 as described above, to change the rate limit.
857 Once the limit is reached, the service will be
858 reenabled automatically in 10 minutes.
861 .Ar service Ns / Ns Ar protocol :
867 .Ar service Ns / Ns Ar protocol :
880 (re)reads the configuration file.
881 The second message occurs when the
894 The user or group ID for the entry's
898 .It "setsockopt(SO_PRIVSTATE): Operation not supported"
901 utility attempted to renounce the privileged state associated with a
902 socket but was unable to.
909 No entry was found for either
922 No entry was found for either
931 .Xr ipsec_set_policy 3 ,
933 .Xr hosts_options 5 ,
949 .%A Michael C. St. Johns
950 .%T Identification Protocol
958 TCPMUX is based on code and documentation by Mark Lottor.
961 based services is modeled after that
965 The IPsec hack was contributed by the KAME project in 1999.
968 TCP Wrappers support first appeared in