The inetd Super-Server

Frequently, services are performed by so-called daemons. A daemon is a program that opens a certain port, and waits for incoming connections. If one occurs, it creates a child process which accepts the connection, while the parent continues to listen for further requests. This concept has the drawback that for every service offered, a daemon has to run that listens on the port for a connection to occur, which generally means a waste of system resources like swap space.

Thus, almost all installations run a ``super-server'' that creates sockets for a number of services, and listens on all of them simultaneously using the select(2) system call. When a remote host requests one of the services, the super-server notices this and spawns the server specified for this port.

The super-server commonly used is inetd, the Internet Daemon. It is started at system boot time, and takes the list of services it is to manage from a startup file named /etc/inetd.conf. In addition to those servers invoked, there are a number of trivial services which are performed by inetd itself called internal services. They include chargen which simply generates a string of characters, and daytime which returns the system's idea of the time of day.

An entry in this file consists of a single line made up of the following fields:

           service type protocol wait user server cmdline

The meaning of each field is as follows:

service

gives the service name. The service name has to be translated to a port number by looking it up in the /etc/services file. This file will be described in section 10.3 below.

type

specifies a socket type, either stream (for connection- oriented protocols) or dgram (for datagram protocols). TCP- based services should therefore always use stream, while UDP- based services should always use dgram.

protocol

names the transport protocol used by the service. This must be a valid protocol name found in the protocols file, also explained below.

wait

This option applies only to dgram sockets. It may be either wait or nowait. If wait is specified, inetd will only execute one server for the specified port at any time. Otherwise, it will immediately continue to listen on the port after execut- ing the server. This is useful for ``single-threaded'' servers that read all incoming datagrams until no more arrive, and then exit. Most RPC servers are of this type and should therefore specify wait. The opposite type, ``multi-threaded'' servers, allow an unlimited number of instances to run concurrently; this is only rarely used. These servers should specify nowait. stream sockets should always use nowait.

user

This is the login id of the user the process is executed under. This will frequently be the root user, but some ser- vices may use different accounts. It is a very good idea to apply the principle of least privilege here, which states that you shouldn't run a command under a privileged account if the program doesn't require this for proper functioning. For example, the NNTP news server will run as news, while services that may pose a security risk (such as tftp or finger) are often run as nobody.

server

gives the full path name of the server program to be executed. Internal services are marked by the keyword internal.

cmdline

This is the command line to be passed to the server. This includes argument 0, that is the command name. Usually, this will be the program name of the server, unless the program behaves differently when invoked by a different name. This field is empty for internal services.

Figure: A sample /etc/inetd.conf file

                #
                # inetd services
                ftp       stream tcp nowait root   /usr/sbin/ftpd    in.ftpd -l
                telnet    stream tcp nowait root   /usr/sbin/telnetd in.telnetd -b/etc/issue
                #finger    stream tcp nowait bin    /usr/sbin/fingerd in.fingerd
                #tftp      dgram  udp wait   nobody /usr/sbin/tftpd   in.tftpd
                #tftp      dgram  udp wait   nobody /usr/sbin/tftpd   in.tftpd /boot/diskless
                login     stream tcp nowait root   /usr/sbin/rlogind in.rlogind
                shell     stream tcp nowait root   /usr/sbin/rshd    in.rshd
                exec      stream tcp nowait root   /usr/sbin/rexecd  in.rexecd
                #
                #       inetd internal services
                #
                daytime   stream tcp nowait root internal
                daytime   dgram  udp nowait root internal
                time      stream tcp nowait root internal
                time      dgram  udp nowait root internal
                echo      stream tcp nowait root internal
                echo      dgram  udp nowait root internal
                discard   stream tcp nowait root internal
                discard   dgram  udp nowait root internal
                chargen   stream tcp nowait root internal
                chargen   dgram  udp nowait root internal

The finger service is commented out, so that it is not available. This is often done for security reasons, because may be used by attackers to obtain names of users on your system.

The tftp is shown commented out as well. tftp implements the Primitive File Transfer Protocol that allows to transfer any world-readable files from your system without password checking etc. This is especially harmful with the /etc/passwd file, even more so when you don't use shadow password.

TFTP is commonly used by diskless clients and X-terminals to download their code from a boot server. If you need to run tftpd for this reason, make sure to limit its scope to those directories clients will retrieve files from by adding those directory names to tftpd's command line. This is shown in the second tftp line in the example.