لطفا منتظر باشید ...
10.1. The inetd Super Server
Programs that provide application
services via the network are called network
daemons. A daemon is a program that opens a
port, most commonly a well-known service port, and waits for incoming
connections on it. If one occurs, the daemon creates a child process
that accepts the connection, while the parent continues to listen for
further requests. This mechanism works well but has a few
disadvantages; at least one instance of every possible service that
you wish to provide must be active in memory at all times. In
addition, the software routines that do the listening and port
handling must be replicated in every network daemon.To overcome these
inefficiencies, most Unix installations run a special network daemon,
what you might consider a "super
server." This daemon creates sockets on behalf of a
number of services and listens on all of them simultaneously. When an
incoming connection is received on any of these sockets, the super
server accepts the connection and spawns the server specified for
this port, passing the socket across to the child to manage. The
server then returns to listening.The most common
super server is called inetd, the Internet
Daemon. It is started at system boot time and takes the list of
services it is to manage from a startup file named
/etc/inetd.conf. In addition to those servers,
there are a number of trivial services performed by
inetd itself called
internal services. They
include chargen, which simply generates a string
of characters, and daytime, which returns the
system's idea of the time of
day.
An entry in this file consists of a single line made up of the
following fields:
service type protocol wait user server cmdlineEach of the fields is described in the following list:service
Gives the service name. The service name has to be translated to a
port number by looking it up in the
/etc/services file. This file will be described
later in this chapter in Section 10.4 later in this
chapter.
type
Specifies a socket type, either
stream (for connection-oriented protocols) or
dgram (for datagram protocols). TCP-based services
should therefore always use stream, while
UDP-based services should always use dgram.
protocol
Names the transport protocol used by the service. This must be a
valid protocol name found in the protocols file,
explained later.
wait
This option applies
only to dgram sockets. It can be either
wait or nowait. If
wait is specified, inetd
executes only one server for the specified port at any time.
Otherwise, it immediately continues to listen on the port after
executing the server.This is useful for
"single-threaded" servers that read
all incoming datagrams until no more arrive, and then exit. Most RPC
servers are of this type and should therefore specify
wait. The opposite type,
"multithreaded" servers, allows an
unlimited number of instances to run concurrently. These servers
should specify nowait.stream sockets should always use
nowait.
user
This is the login ID of the user who will own the process when it is
executing. This will frequently be the root
user, but some services may use different accounts. It is
a very good idea to apply the principle of least privilege here,
which states that you shouldn't run a command under
a privileged account if the program doesn't require
this for proper functioning. For example, the NNTP news server runs
as news, while services that may pose a security
risk (such as tftp or finger) are often run as
nobody.
server
Gives the full pathname of the
server program to be executed. Internal services are marked by the
keyword internal.
cmdline
This is the command line to be passed to the server. It starts with
the name of the server to be executed and can include any arguments
that need to be passed to it. If you are using the TCP wrapper, you
specify the full pathname to the server here. If not, then you just
specify the server name as you'd like it to appear
in a process list. We'll talk about the TCP wrapper
shortly.This field is empty for internal services.
A
sample inetd.conf file is shown in Example 10-1. The finger service is commented out so that
it is not available. This is often done for security reasons because
it can be used by attackers to obtain names and other details of
users on your system.
Example 10-1. A sample /etc/inetd.conf file
#
# inetd services
ftp stream tcp nowait root /usr/sbin/ftpd in.ftpd -l
telnet stream tcp nowait root /usr/sbin/telnetd in.telnetd -b/etc/issue
#finger stream tcp nowait bin /usr/sbin/fingerd in.fingerd
#tftp dgram udp wait nobody /usr/sbin/tftpd in.tftpd
#tftp dgram udp wait nobody /usr/sbin/tftpd in.tftpd /boot/diskless
#login stream tcp nowait root /usr/sbin/rlogind in.rlogind
#shell stream tcp nowait root /usr/sbin/rshd in.rshd
#exec stream tcp nowait root /usr/sbin/rexecd in.rexecd
#
# inetd internal services
#
daytime stream tcp nowait root internal
daytime dgram udp nowait root internal
time stream tcp nowait root internal
time dgram udp nowait root internal
echo stream tcp nowait root internal
echo dgram udp nowait root internal
discard stream tcp nowait root internal
discard dgram udp nowait root internal
chargen stream tcp nowait root internal
chargen dgram udp nowait root internal
The tftp daemon
is shown commented out as well. tftp implements
the Trivial File
Transfer Protocol (TFTP),
which allows someone to transfer any world-readable files from your
system without password checking. This is especially harmful with the
/etc/passwd file, and even more so when you
don't use shadow passwords.tftp is commonly used by diskless clients
and X terminals to download their code from a boot server. If you
need to run the tftpd daemon for this reason,
make sure to limit its scope to those directories from which clients
will retrieve files; you will need to add those directory names to
tftpd's command line. This is
shown in the second tftp line in the
example.
