The inetd Daemon and the inetd.conf Configuration File

The inetd Daemon and the inetd.conf Configuration File

Although there are a fair number of daemons in the base system that have .conf files in the /etc directory, the most important (and sensitive) one you will have to deal with is inetd, the "super-server." The job of inetd is to listen for connections on a specified set of network ports and fire off the appropriate server process when a request comes in.

For instance, inetd is in charge of Telnet connections; if your system allows Telnet, you can open a connection to it and receive a login prompt without any telnetd process running on the server beforehand. Every time the system receives a connection request on port 23, it creates a new telnetd process to handle the connection. Executable programs that run out of inetd (and other similar daemons) are located in /usr/libexec. These programs are not generally part of your command path and are not supposed to be run from the command line; instead, they are spawned from within another process and passed certain resources (such as environment variables and network connections).

Note

The use of inetd eliminates the need for a "master" telnetd process running as root, which is a situation that could be particularly dangerous if a security vulnerability were to be uncovered in telnetd. Many daemons, including sshd, httpd (Apache), and Sendmail, do run in this standalone mode rather than being called out of inetd. The master process (running as root) listens for the new connections and spawns new processes, owned by an unprivileged user, to handle each transaction. This allows for greater flexibility and speed in the program, at the expense of a centralized security risk. inetd also runs as root, so it is just as dangerous if inetd is compromised. The more daemons that run as root, the more possibilities there are for security holes to be found.

During installation (in Chapter 2), you were given the option to enable inetd, and if so, to edit the /etc/inetd.conf file to your taste. If you did this, you remember that all the services listed in the configuration file were commented out and disabled by default. You had to specifically enable any services you wished to be run out of inetd. Indeed, modern versions of FreeBSD subtly encourage you not to use inetd if possible; after all, some of the most notoriously insecure network services (such as Telnet and FTP) are traditionally run from inetd, and if you can get along without them, so much the better. However, if you're running a public server, chances are that you'll need (or at least want) to enable services such as FTP, POP, and IMAP to accommodate the needs of your users.

Note

There are generally better, more secure alternatives to the clear-text services traditionally run from inetd; most of them tend to be standalone daemons, including third-party FTP and mail servers, often with available encryption. For more information on tuning your system for optimal security, see Chapter 30, "Network Security."

If you want to use inetd, make sure the following line is in your /etc/rc.conf file:

inetd_enable="YES"

Table 14.2 shows some of the most popular services that are traditionally run through inetd. None of these are enabled by default, but you might find it necessary to enable some of them, according to your system's needs.

To enable any one of these services, simply remove the comment (#) from the beginning of the line and then restart the inetd server, as follows:

# ps -waux | grep inetd root    110  0.0  0.6  1032  752  ??  Ss    11:57PM   0:00.01 inetd # kill -HUP 110

inetd is one of the areas of FreeBSD without a lot of built-in automation or safety nets to prevent bad configurations. If you must enable services in /etc/inetd.conf, be aware that you're venturing into a nonstandard type of setup, and you should know what you're getting into. For instance, the cvs services come with a dire warning about a security hole that can be opened up with a misconfigured parameter. The Samba services (netbios-ssn and netbios-ns) expect to find the smbd and nmbd binaries in /usr/local/sbin, but they won't be there unless you have installed Samba from the ports or packages. (Running Samba from inetd instead of in standalone mode is a nonstandard, alternative configuration.)

Similarly, other services (such as pop3) TRy to run services installed into /usr/local/libexec. But remember, this directory is inside /usr/local, meaning that unless you explicitly installed a program into that location, it won't be there. Installing the popper port/package puts the necessary executable program into that directory, so you can enable the service in inetd. However, if you choose instead to install the qpopper port/package (another POP3 server), the executable is qpopper instead of popper, and you have to modify the line accordingly:

pop3   stream   tcp     nowait   root    /usr/local/libexec/qpopper      qpopper

Numerous other pitfalls await the unwary. Be sure not to modify the inetd services any more extensively than you really have to. The man inetd page provides a more extensive discussion of the syntax and technique of handling inetd.