inetd(1M)

NAME

inetd — Internet services daemon

SYNOPSIS

/usr/sbin/inetd [-a] [-p proc_limit] [-r count [interval] ] [-l|-s]

/usr/sbin/inetd [-c]

/usr/sbin/inetd [-k]

DESCRIPTION

The inetd daemon is the Internet superserver, which invokes Internet server processes as needed. It must be running before other hosts can connect to the local host through ftp, rcp, remsh, rlogin, and telnet. The inetd daemon also supports services based on the Remote Procedure Call (RPC) protocol (NFS), such as rwalld and rusersd. If RPC servers are started by inetd, the portmap server (see portmap(1M)) must be started before inetd.

The inetd daemon is designed to invoke all the Internet servers as needed, thus reducing load on the system. It is normally started at system boot time. Only one inetd can run at any given time.

The inetd daemon starts servers for both stream and datagram type services. For stream services, inetd listens for connection requests on Internet stream sockets. When a connection is requested for one of its sockets, inetd decides which service the socket will support, forks a process, invokes an appropriate server for the connection, and passes the connected socket to the server as stdin and stdout. Then inetd returns to listening for connection requests.

For datagram services, inetd waits for activity on Internet datagram sockets. When an incoming datagram is detected, inetd forks a process, invokes an appropriate server, and passes the socket to the server as stdin and stdout. Then inetd waits, ignoring activity on that datagram socket, until the server exits.

The inetd daemon is normally started by the /sbin/init.d/inetd script, which is invoked during the boot-time initialization. Otherwise, inetd can be started only by the superuser.

The Internet daemon and the servers it starts inherit the LANG and TZ environment variables and the umask of the process that started inetd. If inetd is started by the superuser, it inherits the superuser's umask, and passes that umask to the servers it starts.

Note: Services currently supported by inetd will work in an IPv6 environment with a few changes to the configuration file /etc/inetd.conf. (See inetd.conf(4)). When invoked, inetd reads /etc/inetd.conf and configures itself to support whatever services are included in that file (see inetd.conf(4)). The inetd daemon also performs a security check if the file /var/adm/inetd.sec exists (see inetd.sec(4)). If the Internet daemon refuses a connection for security reasons, the connection is shut down. Most RPC-based services, if their first connection is refused, attempt to connect four more times at 5-second intervals before timing out. In such cases, inetd refuses the connection from the same service invocation five times. This is visible in the system log if inetd connection logging and syslogd logging for the daemon facility are both enabled (see syslogd(1M)).

The inetd daemon provides several "trivial" services internally by use of routines within itself. The services are echo, discard, chargen (character generator), daytime (human readable time), and time (machine readable time in the form of the number of seconds since midnight, January 1, 1900). The inetd daemon provides both TCP- and UDP-based servers for each of these services. See inetd.conf(4) for instructions on configuring internal servers.

Options

inetd recognizes the following options. These options can be used only by a superuser.

-a: Enable user level auditing. Services started by inetd will be audited based on the user's audit specification (see audusr(1M), userdbset(1M), and the user field in inetd.conf(4)). If a service is audit unaware (see audit(4)), it will not be audited if the user's audit specification is disabled.
.CR: Example: If auditing for root is disabled, audit unaware services, such as remshd invoked by inetd for the specified username will not be audited even though auditing for the username is enabled.
-c: Reconfigure the Internet daemon; in other words, force the current inetd to reread /etc/inetd.conf. This option sends the signal SIGHUP to the Internet daemon that is currently running. Any configuration errors that occur during the reconfiguration are logged to the syslogd daemon facility.
-k: Kill the current inetd. This option sends the signal SIGTERM to the Internet daemon that is currently running, causing it to exit gracefully. This option is the preferred method of killing inetd.
-l: By default, inetd starts with connection logging disabled. If no inetd is running, the -l option causes the inetd to start with connection logging enabled. Otherwise the -l option causes inetd to send the signal SIGQUIT to the inetd that is already running, which causes it to toggle the state of connection logging.
-p proc_limit: By default, inetd spawns any number of child processes to serve incoming connections. When inetd is started with the -p option, inetd does not spawn a child process if the number of child processes already running in the system has reached the proc_limit value. inetd spawns a new child process only when the number of running child processes is less than the proc_limit value. If an invalid value or zero is specified for the -p option, inetd spawns any number of child processes to serve incoming connections.
-r count [interval]: inetd identifies a UDP service as broken or in an infinite loop when it receives count number of connections in interval seconds of time. When inetd finds any such broken service, it discards the packet requesting the socket connection, and refuses access to that service. inetd tries enabling that service after 10 minutes and accepts connections for that service. This is applicable to all UDP services other than tftp, bootp and rpc. Using the -r option, you can specify the values for count and interval, which need to be decimal numbers. If you invoke inetd without this option or specify invalid values for this option, the default values 40 and 60 are taken for count and interval, respectively.
-s: This option is similar to the -l option, but it suppresses the hostname while logging into the syslog file. If inetd is not running, the -s option causes inetd to start with suppressed hostname logging enabled. If inetd is running, the -s option causes inetd to send SIGFPE signal to inetd that is already running. This causes inetd to toggle the state of suppressed hostname logging.

When inetd is running with either of -l or of -s logging enabled, the Internet daemon logs attempted connections to services. It also logs connection attempts which fail the security check. This information can be useful when trying to determine if someone is repeatedly trying to access your system from a particular remote system (in other words, trying to break into your system). Successful connection attempts are logged to the syslogd daemon facility at the info log level. Connection attempts failing the security check are logged at the notice log level. inetd also logs whether the connection logging has been enabled or disabled at the info log level.

DIAGNOSTICS

The following diagnostics are returned by the Internet daemon before it disconnects from the terminal.

An inetd is already running

An attempt was made to start an Internet daemon when one was already running. It is incorrect to call the Internet daemon a second time without the -c, -k, -l or -s option.

There is no inetd running

An attempt was made to reconfigure an Internet daemon when none was running.

Inetd not found

This message occurs if inetd is called with -c and another Internet daemon is running but cannot be reconfigured. This occurs if the original Internet daemon died without removing its semaphore.

Next step: Use the inetd -k command to remove the semaphore left by the previous Internet daemon; then restart the daemon.

The following diagnostics are logged to the syslogd daemon facility. Unless otherwise indicated, messages are logged at the error log level.

/etc/inetd.conf: Unusable configuration file

The Internet daemon is unable to access the configuration file /etc/inetd.conf. The error message preceding this one specifies the reason for the failure.

/etc/inetd.conf: line number: error

There is an error on the specified line in /etc/inetd.conf. The line in the configuration file is skipped. This error does not stop the Internet daemon from reading the rest of the file and configuring itself accordingly.

Next step: Fix the line with the error and reconfigure the Internet daemon by executing the inetd -c command.

system_call: message

system_call failed. See the corresponding manual entry for a description of system_call. The reason for the failure is explained in message.

Cannot configure inetd

None of the services/servers listed in the configuration file could be set up properly, due to configuration file errors.

Too many services (max n)

The number of active services listed in the configuration file exceeds the "hard" limit that can be supported by the system (see setrlimit(2)).

Next step: Reduce the number of services listed in the configuration file, then reconfigure the Internet daemon by running the command inetd -c.

file: \ found before end of line line

file can be either inetd.conf or inetd.sec. If a backslash is not immediately followed by an end of line, it is ignored and the information up to the end of line is accepted. In this case, the next line of the file is not appended to the end of the current line. Unless all the information required is present on a single line, configuration file error messages are also output. This message is logged at the warning log level.

service/protocol: Unknown service

The call to the library routine getservbyname (see getservent(3N)) failed. The service is not listed in /etc/services.

Next step: Include that service in /etc/services or eliminate the entry for the service in /etc/inetd.conf.

service/protocol: Server failing (looping), service terminated.

When inetd tries to start 40 servers within 60 seconds for a datagram service, other than bootp, rpc, or tftp, it assumes that the server is failing to handle the connection. To avoid entering a potentially infinite loop, inetd issues this message, discards the packet requesting the socket connection, and refuses further connections for this service. After 10 minutes, inetd tries to reinstate the service, and once again accepts connections for the service. inetd provides -r command-line option to modify the default values 40 and 60.

service/protocol: socket: message

service/protocol: listen: message

service/protocol: getsockname: message

Any one of the three errors above makes the service unusable. For another host to communicate with the server host through this service, the Internet daemon needs to be reconfigured after any of these error messages.

service/protocol: bind: message

If this error occurs, the service is temporarily unusable. After 10 minutes, inetd tries again to make the service usable by binding to the Internet socket for the service.

service/protocol: Access denied to remote_host (address)

The remote host failed to pass the security test for the indicated service. This information can be useful when trying to determine if someone is repeatedly trying to access your system from a particular remote system (in other words, trying to break into your system). This message is logged at the warning log level.

service/protocol: Connection from remote_host (address)

When connection logging is enabled, this message indicates a successful connection attempt to the specified service. This message is logged at the notice log level.

service/protocol: Added service, server executable

Keeps track of the services added when reconfiguring the Internet daemon. This message is logged at the info log level.

service/protocol: New list

Lists the new user IDs, servers or executables used for the service when reconfiguring the Internet daemon. This message is logged at the info log level.

service/protocol: Deleted service

Keeps track of the services deleted when reconfiguring the Internet daemon. This message is logged at the info log level.

Reverse lookup for (address) has failed

Indicates a hostname resolution failure.

Security File (inetd.sec) Errors

The following errors, prefixed by /var/adm/inetd.sec:, are related to the security file inetd.sec:

Field contains other characters in addition to * for service

For example, field 2 of the Internet address 10.5*.8.7 is incorrect.

Missing low value in range for service

For example, field 2 of the Internet address 10.-5.8.7 is incorrect.

Missing high value in range for service

For example, field 2 of the Internet address 10.5-.8.7 is incorrect.

High value in range is lower than low value for service

For example, field 2 of the Internet address 10.5-3.8.7 is incorrect.

allow/deny field does not have a valid entry for service

The entry in the allow/deny field is not one of the keywords allow or deny. No security for this service is implemented by inetd since the line in the security file is ignored. This message is logged at the warning log level.

RPC Related Errors for NFS Users

These errors are specific to RPC-based servers:

/etc/inetd.conf: line number: Missing program number

/etc/inetd.conf: line number: Missing version number

Error on the specified line of /etc/inetd.conf. The program or version number for an RPC service is missing. This error does not stop the Internet daemon from reading the rest of the file and configuring itself accordingly. However, the service corresponding to the error message will not be configured correctly.

Next step: Fix the line with the error, then reconfigure the Internet daemon by executing the inetd -c command.

/etc/inetd.conf: line number: Invalid program number

Error on the specified line of /etc/inetd.conf. The program number for an RPC service is not a number. This error does not stop the Internet daemon from reading the rest of the file and configuring itself accordingly. However, the service corresponding to the error message will not be correctly configured.

Next step: Fix the line with the error, then reconfigure the Internet daemon by executing the inetd -c command.

AUTHOR

inetd was developed by HP and the University of California, Berkeley.

NFS was developed by Sun Microsystems, Inc.

FILES

/etc/inetd.conf: List of Internet server processes.
/var/adm/inetd.sec: Optional security file.