inetd(1M) DG/UX R4.11MU05 inetd(1M)
NAME
inetd - Internet services server
SYNOPSIS
/usr/bin/inetd [ -d ] [ configuration-file ]
DESCRIPTION
The inetd process (daemon) listens for connections on the appropriate
designated ports of the services specified in inetd.conf. When a
connection is found, inetd invokes the server program specified by
that configuration file for the service requested. Once a server is
finished, inetd continues to listen on the socket (except in some
cases that are described below).
Use the -d option to write various diagnostic messages to syslog at
level LOG_NOTICE. See syslog(3C) for more information.
The inetd server itself provides a number of simple TCP-based
services. These include echo, discard, chargen (character
generator), daytime (human readable time), and time (machine readable
time, in the form of the number of seconds since midnight, January 1,
1900). For details about these services, obtain Requests for Comment
(RFC) 862, 863, 864, 867, and 868. (The Guide to AViiON and DG/UX®
System Documentation gives the address to use for obtaining RFCs.)
New services can be activated and existing services deleted or
modified by editing the configuration file and then sending the inetd
server a hangup signal, SIGHUP.
When you start inetd, the Internet server, it reads its configuration
information from configuration-file. The default configuration file
is /etc/inetd.conf. See inetd.conf(4M) for information on the format
of this file. There are two inetd.conf prototype files:
inetd.conftcpip.proto and inetd.confnfs.proto. During setup, the
inetd.conf file is established by concatenating the two prototype
files.
The following items pertain to trusted DG/UX systems only.
· If inetd is not already running, you can start inetd only by
rebooting your system. If inetd is running, you can restart inetd
by sending it a hangup signal, SIGHUP.
· Several services that are normally provided on a standard DG/UX
system are disabled. See the manual Managing Security on the
DG/UX® System and the inetd.conf(4) man page for more
information.
· Inetd behaves differently depending upon whether the service it
is launching is trusted or non-trusted. A service is typically
marked as trusted for one of two reasons: either the executable
communicates with the session monitor on its own behalf, or it is
known to introduce no security risk to the system. See
inetd.conf(4M) for how inetd determines if a service is trusted
or non-trusted.
For non-trusted services, inetd communicates with the session
monitor on behalf of the service to determine if the user has
authorization. See inetd.conf(4M) for how inetd determines the
user; the service is always taken directly from /etc/inetd.conf.
In order for the session monitor to grant inetd's request, the
user account must have service authorization. Furthermore, it
must not require any authentication since inetd can not, for
example, ask for a password on behalf of the service. If the
request is granted, the credentials of the child process are set
appropriately prior to exec'ing the service's executable. The
actual credentials are never more powerful than those configured
for the user and service, but may also be constrained by the
credentials from Trusted IP; this is dependent upon which service
inetd is launching.
For trusted services, inetd does not communicate with the session
monitor on the service's behalf. On a system running with MAC
and network security (that is, Trusted IP), the process's MAC
label and range are set to those provided by Trusted IP prior to
exec'ing the service's executable. On a system running with CAC
and network security, the process's CAP state is set so that the
DG_CAP_MULTILEVEL_DEVICE capability is turned off if it were not
in the credentials provided by Trusted IP; otherwise, the trusted
process's CAP state is identical to inetd's CAP state. If the
DG_CAP_MULTILEVEL_DEVICE is set, any device that is associated
with the network session will have a MAC range equal to the
process's MAC range; otherwise, the device's MAC range will be a
trivial range equal to the process's MAC label. The upshot of
this is that unless the DG_CAP_MULTILEVEL_DEVICE capability is
set, authorization can only occur at the process MAC label (which
was the MAC label provided by Trusted IP).
FILES
/etc/inetd.conf
/etc/syslog.conf
SEE ALSO
syslog(3C), inetd.conf(4M), syslog.conf(5).
Managing Security on the DG/UX® System
Licensed material--property of copyright holder(s)