Next: The tcpd access control Up: Various Network Applications Previous: Various Network Applications
Frequently, services are performed by so-called daemons. A daemon is a program that opens a certain port, and waits for incoming connections. If one occurs, it creates a child process which accepts the connection, while the parent continues to listen for further requests. This concept has the drawback that for every service offered, a daemon has to run that listens on the port for a connection to occur, which generally means a waste of system resources like swap space.
Thus, almost all installations run a ``super-server'' that creates sockets for a number of services, and listens on all of them simultaneously using the select(2) system call. When a remote host requests one of the services, the super-server notices this and spawns the server specified for this port.
The super-server commonly used is inetd, the Internet Daemon. It is started at system boot time, and takes the list of services it is to manage from a startup file named /etc/inetd.conf. In addition to those servers invoked, there are a number of trivial services which are performed by inetd itself called internal services. They include chargen which simply generates a string of characters, and daytime which returns the system's idea of the time of day.
An entry in this file consists of a single line made up of the following fields:
service type protocol wait user server cmdline
The meaning of each field is as follows:
- service
- gives the service name. The service name has to be translated to a port number by looking it up in the /etc/services file. This file will be described in section 10.3 below.
- type
- specifies a socket type, either stream (for connection- oriented protocols) or dgram (for datagram protocols). TCP- based services should therefore always use stream, while UDP- based services should always use dgram.
- protocol
- names the transport protocol used by the service. This must be a valid protocol name found in the protocols file, also explained below.
- wait
- This option applies only to dgram sockets. It may be either wait or nowait. If wait is specified, inetd will only execute one server for the specified port at any time. Otherwise, it will immediately continue to listen on the port after execut- ing the server. This is useful for ``single-threaded'' servers that read all incoming datagrams until no more arrive, and then exit. Most RPC servers are of this type and should therefore specify wait. The opposite type, ``multi-threaded'' servers, allow an unlimited number of instances to run concurrently; this is only rarely used. These servers should specify nowait. stream sockets should always use nowait.
- user
- This is the login id of the user the process is executed under. This will frequently be the root user, but some ser- vices may use different accounts. It is a very good idea to apply the principle of least privilege here, which states that you shouldn't run a command under a privileged account if the program doesn't require this for proper functioning. For example, the NNTP news server will run as news, while services that may pose a security risk (such as tftp or finger) are often run as nobody.
- server
- gives the full path name of the server program to be executed. Internal services are marked by the keyword internal.
- cmdline
- This is the command line to be passed to the server. This includes argument 0, that is the command name. Usually, this will be the program name of the server, unless the program behaves differently when invoked by a different name. This field is empty for internal services.
Figure: A sample /etc/inetd.conf file
#
# inetd services
ftp stream tcp nowait root /usr/sbin/ftpd in.ftpd -l
telnet stream tcp nowait root /usr/sbin/telnetd in.telnetd -b/etc/issue
#finger stream tcp nowait bin /usr/sbin/fingerd in.fingerd
#tftp dgram udp wait nobody /usr/sbin/tftpd in.tftpd
#tftp dgram udp wait nobody /usr/sbin/tftpd in.tftpd /boot/diskless
login stream tcp nowait root /usr/sbin/rlogind in.rlogind
shell stream tcp nowait root /usr/sbin/rshd in.rshd
exec stream tcp nowait root /usr/sbin/rexecd in.rexecd
#
# inetd internal services
#
daytime stream tcp nowait root internal
daytime dgram udp nowait root internal
time stream tcp nowait root internal
time dgram udp nowait root internal
echo stream tcp nowait root internal
echo dgram udp nowait root internal
discard stream tcp nowait root internal
discard dgram udp nowait root internal
chargen stream tcp nowait root internal
chargen dgram udp nowait root internal
The finger service is commented out, so that it is not available. This is often done for security reasons, because may be used by attackers to obtain names of users on your system.
The tftp is shown commented out as well. tftp implements the Primitive File Transfer Protocol that allows to transfer any world-readable files from your system without password checking etc. This is especially harmful with the /etc/passwd file, even more so when you don't use shadow password.
TFTP is commonly used by diskless clients and X-terminals to download their code from a boot server. If you need to run tftpd for this reason, make sure to limit its scope to those directories clients will retrieve files from by adding those directory names to tftpd's command line. This is shown in the second tftp line in the example.
Next: The tcpd access control Up: Various Network Applications Previous: Various Network Applications
Andrew Anderson
Thu Mar 7 23:22:06 EST 1996