[apple/network_cmds.git] / inetd.tproj / inetd.8

.\" Copyright (c) 1985, 1991, 1993, 1994
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the University of
.\"	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)inetd.8	8.4 (Berkeley) 6/1/94
.\"
.Dd June 1, 1994
.Dt INETD 8
.Os BSD 4.4
.Sh NAME
.Nm inetd
.Nd internet
.Dq super-server
.Sh SYNOPSIS
.Nm inetd
.Op Fl d
.Op Fl R Ar rate
.Op Ar configuration file
.Sh DESCRIPTION
The
.Nm inetd
program
should be run at boot time by
.Pa /etc/rc
(see
.Xr rc 8 ) .
It then listens for connections on certain
internet sockets.  When a connection is found on one
of its sockets, it decides what service the socket
corresponds to, and invokes a program to service the request.
The server program is invoked with the service socket
as its standard input, output and error descriptors.
After the program is
finished,
.Nm inetd
continues to listen on the socket (except in some cases which
will be described below).  Essentially,
.Nm inetd
allows running one daemon to invoke several others,
reducing load on the system.
.Pp
The options available for
.Nm inetd:
.Bl -tag -width Ds
.It Fl d
Turns on debugging.
.It Fl R Ar rate
Specifies the maximum number of times a service can be invoked
in one minute; the default is 1000.
.El
.Pp
Upon execution,
.Nm inetd
reads its configuration information from a configuration
file which, by default, is
.Pa /etc/inetd.conf .
There must be an entry for each field of the configuration
file, with entries for each field separated by a tab or
a space.  Comments are denoted by a ``#'' at the beginning
of a line.  There must be an entry for each field.  The
fields of the configuration file are as follows:
.Pp
.Bd -unfilled -offset indent -compact
service name
socket type
protocol
wait/nowait
user
server program
server program arguments
.Ed
.Pp
There are two types of services that 
.Nm inetd
can start: standard and TCPMUX.
A standard service has a well-known port assigned to it;
it may be a service that implements an official Internet standard or is a
BSD-specific service.
As described in 
.Tn RFC 1078 ,
TCPMUX services are nonstandard services that do not have a 
well-known port assigned to them.
They are invoked from
.Nm inetd 
when a program connects to the
.Dq tcpmux
well-known port and specifies
the service name.  
This feature is useful for adding locally-developed servers.
.Pp
The
.Em service-name
entry is the name of a valid service in
the file
.Pa /etc/services .
For
.Dq internal
services (discussed below), the service
name
.Em must
be the official name of the service (that is, the first entry in
.Pa /etc/services ) .
For TCPMUX services, the value of the
.Em service-name
field consists of the string
.Dq tcpmux
followed by a slash and the
locally-chosen service name. 
The service names listed in 
.Pa /etc/services
and the name 
.Dq help
are reserved.
Try to choose unique names for your TCPMUX services by prefixing them with
your organization's name and suffixing them with a version number.
.Pp
The
.Em socket-type
should be one of
.Dq stream ,
.Dq dgram ,
.Dq raw ,
.Dq rdm ,
or
.Dq seqpacket ,
depending on whether the socket is a stream, datagram, raw,
reliably delivered message, or sequenced packet socket.
TCPMUX services must use 
.Dq stream .
.Pp
The
.Em protocol
must be a valid protocol as given in
.Pa /etc/protocols .
Examples might be
.Dq tcp
or
.Dq udp .
TCPMUX services must use 
.Dq tcp .
.Pp
The
.Em wait/nowait
entry specifies whether the server that is invoked by inetd will take over
the socket associated with the service access point, and thus whether
.Nm inetd
should wait for the server to exit before listening for new service
requests.
Datagram servers must use
.Dq wait ,
as they are always invoked with the original datagram socket bound
to the specified service address.
These servers must read at least one datagram from the socket
before exiting.
If a datagram server connects
to its peer, freeing the socket so
.Nm inetd
can received further messages on the socket, it is said to be
a
.Dq multi-threaded
server;
it should read one datagram from the socket and create a new socket
connected to the peer.
It should fork, and the parent should then exit
to allow
.Nm inetd
to check for new service requests to spawn new servers.
Datagram servers which process all incoming datagrams
on a socket and eventually time out are said to be
.Dq single-threaded .
.Xr Comsat 8 ,
.Pq Xr biff 1
and
.Xr talkd 8
are both examples of the latter type of
datagram server.
.Xr Tftpd 8
is an example of a multi-threaded datagram server.
.Pp
Servers using stream sockets generally are multi-threaded and
use the
.Dq nowait
entry.
Connection requests for these services are accepted by
.Nm inetd ,
and the server is given only the newly-accepted socket connected
to a client of the service.
Most stream-based services operate in this manner.
Stream-based servers that use
.Dq wait
are started with the listening service socket, and must accept
at least one connection request before exiting.
Such a server would normally accept and process incoming connection
requests until a timeout.
TCPMUX services must use 
.Dq nowait .
.Pp
The
.Em user
entry should contain the user name of the user as whom the server
should run.  This allows for servers to be given less permission
than root.
.Pp
The
.Em server-program
entry should contain the pathname of the program which is to be
executed by
.Nm inetd
when a request is found on its socket.  If
.Nm inetd
provides this service internally, this entry should
be
.Dq internal .
.Pp
The
.Em server program arguments
should be just as arguments
normally are, starting with argv[0], which is the name of
the program.  If the service is provided internally, the
word
.Dq internal
should take the place of this entry.
.Pp
The
.Nm inetd
program
provides several
.Dq trivial
services internally by use of
routines within itself.  These services are
.Dq echo ,
.Dq discard ,
.Dq chargen
(character generator),
.Dq daytime
(human readable time), and
.Dq time
(machine readable time,
in the form of the number of seconds since midnight, January
1, 1900).  All of these services are tcp based.  For
details of these services, consult the appropriate
.Tn RFC
from the Network Information Center.
.Pp
The
.Nm inetd
program
rereads its configuration file when it receives a hangup signal,
.Dv SIGHUP .
Services may be added, deleted or modified when the configuration file
is reread.
Except when started in debugging mode,
.Nm
records its process ID in the file
.Pa /var/run/inetd.pid
to assist in reconfiguration.
.Sh TCPMUX
.Pp
.Tn RFC 1078 
describes the TCPMUX protocol:
``A TCP client connects to a foreign host on TCP port 1.  It sends the
service name followed by a carriage-return line-feed <CRLF>.  The
service name is never case sensitive.  The server replies with a
single character indicating positive (+) or negative (\-)
acknowledgment, immediately followed by an optional message of
explanation, terminated with a <CRLF>.  If the reply was positive,
the selected protocol begins; otherwise the connection is closed.''
The program is passed the TCP connection as file descriptors 0 and 1.
.Pp
If the TCPMUX service name begins with a ``+'',
.Nm inetd
returns the positive reply for the program.
This allows you to invoke programs that use stdin/stdout
without putting any special server code in them.
.Pp
The special service name
.Dq help
causes
.Nm inetd
to list TCPMUX services in
.Pa inetd.conf .
.ne 1i
.Sh "EXAMPLES"
.Pp
Here are several example service entries for the various types of services:
.Bd -literal
ftp           stream  tcp   nowait root  /usr/libexec/ftpd       ftpd -l
ntalk         dgram   udp   wait   root  /usr/libexec/ntalkd     ntalkd
tcpmux/+date  stream  tcp   nowait guest /bin/date               date
tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook
.Ed
.Sh "ERROR MESSAGES"
The
.Nm inetd
server
logs error messages using
.Xr syslog 3 .
Important error messages and their explanations are:
.Bd -literal
\fIservice\fP/\fIprotocol\fP server failing (looping), service terminated.
.Ed
The number of requests for the specified service in the past minute
exceeded the limit. The limit exists to prevent a broken program
or a malicious user from swamping the system.
This message may occur for several reasons:
1) there are lots of hosts requesting the service within a short time period,
2) a 'broken' client program is requesting the service too frequently,
3) a malicious user is running a program to invoke the service in
a 'denial of service' attack, or
4) the invoked service program has an error that causes clients
to retry quickly.
Use the
.Op Fl R 
option,
as described above, to change the rate limit.
Once the limit is reached, the service will be
reenabled automatically in 10 minutes.
.sp
.Bd -literal
\fIservice\fP/\fIprotocol\fP: No such user '\fIuser\fP', service ignored
\fIservice\fP/\fIprotocol\fP: getpwnam: \fIuser\fP: No such user
.Ed
No entry for 
.Em user
exists in the 
.Pa passwd
file. The first message
occurs when
.Nm inetd
(re)reads the configuration file. The second message occurs when the
service is invoked.
.sp
.Bd -literal
\fIservice\fP: can't set uid \fInumber\fP
\fIservice\fP: can't set gid \fInumber\fP
.Ed
The user or group ID for the entry's 
.Em user
is invalid.
.Sh SEE ALSO
.Xr comsat 8 ,
.Xr fingerd 8 ,
.Xr ftpd 8 ,
.Xr rexecd 8 ,
.Xr rlogind 8 ,
.Xr rshd 8 ,
.Xr telnetd 8 ,
.Xr tftpd 8
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.3 .
TCPMUX is based on code and documentation by Mark Lottor.
Commit	Line	Data
b7080c8e A	1	.\" Copyright (c) 1985, 1991, 1993, 1994
	2	.\" The Regents of the University of California. All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
	12	.\" 3. All advertising materials mentioning features or use of this software
	13	.\" must display the following acknowledgement:
	14	.\" This product includes software developed by the University of
	15	.\" California, Berkeley and its contributors.
	16	.\" 4. Neither the name of the University nor the names of its contributors
	17	.\" may be used to endorse or promote products derived from this software
	18	.\" without specific prior written permission.
	19	.\"
	20	.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	21	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	24	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	.\" SUCH DAMAGE.
	31	.\"
	32	.\" @(#)inetd.8 8.4 (Berkeley) 6/1/94
	33	.\"
	34	.Dd June 1, 1994
	35	.Dt INETD 8
	36	.Os BSD 4.4
	37	.Sh NAME
	38	.Nm inetd
	39	.Nd internet
	40	.Dq super-server
	41	.Sh SYNOPSIS
	42	.Nm inetd
	43	.Op Fl d
	44	.Op Fl R Ar rate
	45	.Op Ar configuration file
	46	.Sh DESCRIPTION
	47	The
	48	.Nm inetd
	49	program
	50	should be run at boot time by
	51	.Pa /etc/rc
	52	(see
	53	.Xr rc 8 ) .
	54	It then listens for connections on certain
	55	internet sockets. When a connection is found on one
	56	of its sockets, it decides what service the socket
	57	corresponds to, and invokes a program to service the request.
	58	The server program is invoked with the service socket
	59	as its standard input, output and error descriptors.
	60	After the program is
	61	finished,
	62	.Nm inetd
	63	continues to listen on the socket (except in some cases which
	64	will be described below). Essentially,
65	.Nm inetd
66	allows running one daemon to invoke several others,
67	reducing load on the system.
68	.Pp
69	The options available for
70	.Nm inetd:
71	.Bl -tag -width Ds
72	.It Fl d
73	Turns on debugging.
74	.It Fl R Ar rate
75	Specifies the maximum number of times a service can be invoked
76	in one minute; the default is 1000.
77	.El
78	.Pp
79	Upon execution,
80	.Nm inetd
81	reads its configuration information from a configuration
82	file which, by default, is
83	.Pa /etc/inetd.conf .
84	There must be an entry for each field of the configuration
85	file, with entries for each field separated by a tab or
86	a space. Comments are denoted by a ``#'' at the beginning
87	of a line. There must be an entry for each field. The
88	fields of the configuration file are as follows:
89	.Pp
90	.Bd -unfilled -offset indent -compact
91	service name
92	socket type
93	protocol
94	wait/nowait
95	user
96	server program
97	server program arguments
98	.Ed
99	.Pp
100	There are two types of services that
101	.Nm inetd
102	can start: standard and TCPMUX.
103	A standard service has a well-known port assigned to it;
104	it may be a service that implements an official Internet standard or is a
105	BSD-specific service.
106	As described in
107	.Tn RFC 1078 ,
108	TCPMUX services are nonstandard services that do not have a
109	well-known port assigned to them.
110	They are invoked from
111	.Nm inetd
112	when a program connects to the
113	.Dq tcpmux
114	well-known port and specifies
115	the service name.
116	This feature is useful for adding locally-developed servers.
117	.Pp
118	The
119	.Em service-name
120	entry is the name of a valid service in
121	the file
122	.Pa /etc/services .
123	For
124	.Dq internal
125	services (discussed below), the service
126	name
127	.Em must
128	be the official name of the service (that is, the first entry in
129	.Pa /etc/services ) .
130	For TCPMUX services, the value of the
131	.Em service-name
132	field consists of the string
133	.Dq tcpmux
134	followed by a slash and the
135	locally-chosen service name.
136	The service names listed in
137	.Pa /etc/services
138	and the name
139	.Dq help
140	are reserved.
141	Try to choose unique names for your TCPMUX services by prefixing them with
142	your organization's name and suffixing them with a version number.
143	.Pp
144	The
145	.Em socket-type
146	should be one of
147	.Dq stream ,
148	.Dq dgram ,
149	.Dq raw ,
150	.Dq rdm ,
151	or
152	.Dq seqpacket ,
153	depending on whether the socket is a stream, datagram, raw,
154	reliably delivered message, or sequenced packet socket.
155	TCPMUX services must use
156	.Dq stream .
157	.Pp
158	The
159	.Em protocol
160	must be a valid protocol as given in
161	.Pa /etc/protocols .
162	Examples might be
163	.Dq tcp
164	or
165	.Dq udp .
166	TCPMUX services must use
167	.Dq tcp .
168	.Pp
169	The
170	.Em wait/nowait
171	entry specifies whether the server that is invoked by inetd will take over
172	the socket associated with the service access point, and thus whether
173	.Nm inetd
174	should wait for the server to exit before listening for new service
175	requests.
176	Datagram servers must use
177	.Dq wait ,
178	as they are always invoked with the original datagram socket bound
179	to the specified service address.
180	These servers must read at least one datagram from the socket
181	before exiting.
182	If a datagram server connects
183	to its peer, freeing the socket so
184	.Nm inetd
185	can received further messages on the socket, it is said to be
186	a
187	.Dq multi-threaded
188	server;
189	it should read one datagram from the socket and create a new socket
190	connected to the peer.
191	It should fork, and the parent should then exit
192	to allow
193	.Nm inetd
194	to check for new service requests to spawn new servers.
195	Datagram servers which process all incoming datagrams
196	on a socket and eventually time out are said to be
197	.Dq single-threaded .
198	.Xr Comsat 8 ,
199	.Pq Xr biff 1
200	and
201	.Xr talkd 8
202	are both examples of the latter type of
203	datagram server.
204	.Xr Tftpd 8
205	is an example of a multi-threaded datagram server.
206	.Pp
207	Servers using stream sockets generally are multi-threaded and
208	use the
209	.Dq nowait
210	entry.
211	Connection requests for these services are accepted by
212	.Nm inetd ,
213	and the server is given only the newly-accepted socket connected
214	to a client of the service.
215	Most stream-based services operate in this manner.
216	Stream-based servers that use
217	.Dq wait
218	are started with the listening service socket, and must accept
219	at least one connection request before exiting.
220	Such a server would normally accept and process incoming connection
221	requests until a timeout.
222	TCPMUX services must use
223	.Dq nowait .
224	.Pp
225	The
226	.Em user
227	entry should contain the user name of the user as whom the server
228	should run. This allows for servers to be given less permission
229	than root.
230	.Pp
231	The
232	.Em server-program
233	entry should contain the pathname of the program which is to be
234	executed by
235	.Nm inetd
236	when a request is found on its socket. If
237	.Nm inetd
238	provides this service internally, this entry should
239	be
240	.Dq internal .
241	.Pp
242	The
243	.Em server program arguments
244	should be just as arguments
245	normally are, starting with argv[0], which is the name of
246	the program. If the service is provided internally, the
247	word
248	.Dq internal
249	should take the place of this entry.
250	.Pp
251	The
252	.Nm inetd
253	program
254	provides several
255	.Dq trivial
256	services internally by use of
257	routines within itself. These services are
258	.Dq echo ,
259	.Dq discard ,
260	.Dq chargen
261	(character generator),
262	.Dq daytime
263	(human readable time), and
264	.Dq time
265	(machine readable time,
266	in the form of the number of seconds since midnight, January
267	1, 1900). All of these services are tcp based. For
268	details of these services, consult the appropriate
269	.Tn RFC
270	from the Network Information Center.
271	.Pp
272	The
273	.Nm inetd
274	program
275	rereads its configuration file when it receives a hangup signal,
276	.Dv SIGHUP .
277	Services may be added, deleted or modified when the configuration file
278	is reread.
279	Except when started in debugging mode,
280	.Nm
281	records its process ID in the file
282	.Pa /var/run/inetd.pid
283	to assist in reconfiguration.
284	.Sh TCPMUX
285	.Pp
286	.Tn RFC 1078
287	describes the TCPMUX protocol:
288	``A TCP client connects to a foreign host on TCP port 1. It sends the
289	service name followed by a carriage-return line-feed <CRLF>. The
290	service name is never case sensitive. The server replies with a
291	single character indicating positive (+) or negative (\-)
292	acknowledgment, immediately followed by an optional message of
293	explanation, terminated with a <CRLF>. If the reply was positive,
294	the selected protocol begins; otherwise the connection is closed.''
295	The program is passed the TCP connection as file descriptors 0 and 1.
296	.Pp
297	If the TCPMUX service name begins with a ``+'',
298	.Nm inetd
299	returns the positive reply for the program.
300	This allows you to invoke programs that use stdin/stdout
301	without putting any special server code in them.
302	.Pp
303	The special service name
304	.Dq help
305	causes
306	.Nm inetd
307	to list TCPMUX services in
308	.Pa inetd.conf .
309	.ne 1i
310	.Sh "EXAMPLES"
311	.Pp
312	Here are several example service entries for the various types of services:
313	.Bd -literal
314	ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
315	ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
316	tcpmux/+date stream tcp nowait guest /bin/date date
317	tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook
318	.Ed
319	.Sh "ERROR MESSAGES"
320	The
321	.Nm inetd
322	server
323	logs error messages using
324	.Xr syslog 3 .
325	Important error messages and their explanations are:
326	.Bd -literal
327	\fIservice\fP/\fIprotocol\fP server failing (looping), service terminated.
328	.Ed
329	The number of requests for the specified service in the past minute
330	exceeded the limit. The limit exists to prevent a broken program
331	or a malicious user from swamping the system.
332	This message may occur for several reasons:
333	1) there are lots of hosts requesting the service within a short time period,
334	2) a 'broken' client program is requesting the service too frequently,
335	3) a malicious user is running a program to invoke the service in
336	a 'denial of service' attack, or
337	4) the invoked service program has an error that causes clients
338	to retry quickly.
339	Use the
340	.Op Fl R
341	option,
342	as described above, to change the rate limit.
343	Once the limit is reached, the service will be
344	reenabled automatically in 10 minutes.
345	.sp
346	.Bd -literal
347	\fIservice\fP/\fIprotocol\fP: No such user '\fIuser\fP', service ignored
348	\fIservice\fP/\fIprotocol\fP: getpwnam: \fIuser\fP: No such user
349	.Ed
350	No entry for
351	.Em user
352	exists in the
353	.Pa passwd
354	file. The first message
355	occurs when
356	.Nm inetd
357	(re)reads the configuration file. The second message occurs when the
358	service is invoked.
359	.sp
360	.Bd -literal
361	\fIservice\fP: can't set uid \fInumber\fP
362	\fIservice\fP: can't set gid \fInumber\fP
363	.Ed
364	The user or group ID for the entry's
365	.Em user
366	is invalid.
367	.Sh SEE ALSO
368	.Xr comsat 8 ,
369	.Xr fingerd 8 ,
370	.Xr ftpd 8 ,
371	.Xr rexecd 8 ,
372	.Xr rlogind 8 ,
373	.Xr rshd 8 ,
374	.Xr telnetd 8 ,
375	.Xr tftpd 8
376	.Sh HISTORY
377	The
378	.Nm
379	command appeared in
380	.Bx 4.3 .
381	TCPMUX is based on code and documentation by Mark Lottor.