Mac OS X provides some GUI controls for controlling the service processes. Additionally, you can control processes manually. The ability to control processes manually makes it convenient to adjust settings from a remote terminal. In general, we recommend being completely conversant with the manual configuration and control of network services, even if you choose to use the various System Preferences panes to make quick changes on a day-to-day basis. Manual configuration is sometimes less convenient , but so long as your machine is accessible, you will be able to control and configure it this way. Server problems do not limit themselves to occurring when you're sitting at your machine.
Apple ships OS X with many services disabled. In many of the Unix operating systems, you have to be careful to disable some common services that are turned on by default, but that you may not actually need. With OS X, however, many of these common services are wisely disabled. Instead of requiring an expert to secure the machine in its default state, OS X starts off fairly well configured for a novice administrator. Instead, it requires a bit of expertise to turn on useful but potentially dangerous services such as the remote login service.
Under the Services tab of the Sharing pane of the System Preferences panel you find controls to enable or disable the FTP, SSH, World Wide Web, AppleShare, Windows File Sharing, Remote Apple Events, and the Printer Sharing servers. Choose only those services that you really need. Remember, the more services you turn on, the more vulnerable to attack your machine becomes. Figure 11.1 shows the Services tab of the Sharing pane.
The inetd service, the Internet services daemon, configured by the /etc/inetd.conf file, actually is a service that starts and controls other services. It's not practical to start an unlimited number of some types of network services and leave them running, right from startup. Depending on the use of your machine, some services might be needed in great numbers ”for example, the ftpd FTP server processes, if you serve particularly interesting data and have many people connecting simultaneously . Others might be used hardly at all, such as the sprayd network diagnostic daemon. On your system, the pattern might be the opposite , but regardless of the use, patterns are likely to vary over time. For many of these types of services, the system relieves you of the task of trying to provide the proper number of these servers in some manual configuration process by using the inetd daemon to configure and run them on an as-needed basis.
As was mentioned earlier, xinetd can be used as a replacement for inetd . As a matter of fact, starting with Mac OS X 10.2, xinetd is the default Internet services daemon. However, because inetd is a ubiquitous Unix service and its configuration file is easier to read for familiarizing yourself with the basic network services involved, we look at inetd first.
The inetd.conf file, then, is the file that tells inetd which services it should start in response to network requests , and how (at the command-line level) to start them. The inetd.conf file has the form of a set of lines, each line containing a specification for a service. The service specification lines consist of a set of fields separated by tabs or spaces. The fields that must occur on each line are shown in the following list, with a brief description of the data that belongs in them.
Service name (used to look up service port in /etc/services map)
Socket type ( stream , dgram , raw , rdm , or seqpacket )
Protocol ( tcp or udp , tcp6 or udp6 , rpc / tcp , or rpc / udp )
Wait/nowait (for dgrams only ”whether or not the socket should wait for additional connections; all others get nowait )
User ( user for which the service is run)
Server program (actual path to the binary on disk)
Server program arguments (how the command line would look, if typed, including server name)
The default inetd.conf file as it comes from Apple is shown in Listing 11.1. The # symbol in front of each item indicates that the line is commented out and will not be run. Apple very wisely leaves all these network services off by default. Many of them can be security holes, and it's best if you enable them only as you need and understand them.
1 # 2 # Internet server configuration database 3 # 4 # @(#)inetd.conf 5.4 (Berkeley) 6/30/90 5 # 6 # Items with double hashes in front (##) are not yet implemented in the OS. 7 # 8 #finger stream tcp nowait nobody /usr/libexec/tcpd fingerd -s 9 #ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l 10 #login stream tcp nowait root /usr/libexec/tcpd rlogind 11 #nntp stream tcp nowait usenet /usr/libexec/tcpd nntpd 12 #ntalk dgram udp wait root /usr/libexec/tcpd ntalkd 13 #shell stream tcp nowait root /usr/libexec/tcpd rshd 14 #telnet stream tcp nowait root /usr/libexec/tcpd telnetd 15 #uucpd stream tcp nowait root /usr/libexec/tcpd uucpd 16 #comsat dgram udp wait root /usr/libexec/tcpd comsat 17 #tftp dgram udp wait nobody /usr/libexec/tcpd tftpd /private/tftpboot 18 #bootp dgram udp wait root /usr/libexec/tcpd bootpd 19 ##pop3 stream tcp nowait root /usr/libexec/tcpd /usr/local/libexec/popper 20 ##imap4 stream tcp nowait root /usr/libexec/tcpd /usr/local/libexec/imapd 21 # 22 # "Small servers" -- used to be standard on, but we're more conservative 23 # about things due to Internet security concerns. Only turn on what you 24 # need. 25 # 26 #chargen stream tcp nowait root internal 27 #chargen dgram udp wait root internal 28 #daytime stream tcp nowait root internal 29 #daytime dgram udp wait root internal 30 #discard stream tcp nowait root internal 31 #discard dgram udp wait root internal 32 #echo stream tcp nowait root internal 33 #echo dgram udp wait root internal 34 #time stream tcp nowait root internal 35 #time dgram udp wait root internal 36 # 37 # Kerberos (version 5) authenticated services 38 # 39 ##eklogin stream tcp nowait root /usr/libexec/tcpd klogind -k -c -e 40 ##klogin stream tcp nowait root /usr/libexec/tcpd klogind -k -c 41 ##kshd stream tcp nowait root /usr/libexec/tcpd kshd -k -c -A 42 #krb5_prop stream tcp nowait root /usr/libexec/tcpd kpropd 43 # 44 # RPC based services (you MUST have portmapper running to use these) 45 # 46 ##rstatd/1-3 dgram rpc/udp wait root /usr/libexec/tcpd rpc.rstatd 47 ##rusersd/1-2 dgram rpc/udp wait root /usr/libexec/tcpd rpc.rusersd 48 ##walld/1 dgram rpc/udp wait root /usr/libexec/tcpd rpc.rwalld 49 ##pcnfsd/1-2 dgram rpc/udp wait root /usr/libexec/tcpd rpc.pcnfsd 50 ##rquotad/1 dgram rpc/udp wait root /usr/libexec/tcpd rpc.rquotad 51 ##sprayd/1 dgram rpc/udp wait root /usr/libexec/tcpd rpc.sprayd 52 # 53 # The following are not known to be useful, and should not be enabled unless 54 # you have a specific need for it and are aware of the possible implications 55 # 56 #exec stream tcp nowait root /usr/libexec/tcpd rexecd 57 #auth stream tcp wait root /usr/libexec/tcpd identd -w -t120
Briefly, the intent of the services on each line is as follows :
Line 8. The fingerd daemon enables external users to finger a user ID and find out whether the ID exists; if it does, how recently and on what terminals the ID has been logged in.
Line 9. The ftpd daemon provides an FTP (file transfer protocol) server.
Line 10. The login service provides service for the rlogin remote login terminal program. Don't turn this on.
Line 11. The nntp service is a Usenet newsgroups server. If your machine is configured to receive news from other servers, you can point your newsreader to your local machine to read news.
Line 12. The ntalk (new protocol talk) daemon provides for real-time chat services. If you're familiar with ICQ, iChat, or IRC, this service is somewhat similar.
Line 13. Provides remote shell service ”another way to remotely access machines. This service is required to use certain remote services, such as remote tape archive storage. Because Apple hasn't provided all the software necessary to make full use of these services, we suggest that this be left off as well; it's almost as large a security risk as rlogin and telnet .
Line 14. Provides the telnet daemon to allow remote telnet terminal connections. Don't turn this on. Mac OS X already provides SSH, which can be used more securely for terminal connections.
Line 15. The uucpd service implements the Unix-to-Unix copy protocol. This is an antiquated method for networking Unix machines that can't always be connected to the network. Essentially, it enables network traffic between two sites to be queued until both sites are available on the network, and then exchanges the data. This service is of very limited utility today, and presents a significant security risk because it hasn't really been maintained since the days of 1200-baud modems.
Line 16. The comsat daemon provides notification of incoming mail to mail-reader clients .
Line 17. tftp is trivial file transfer protocol, and is one of the methods of providing file service to completely diskless network clients. You won't need to enable this service unless you're providing network boot services for diskless Unix clients.
Line 18. bootp is a way of transmitting network configuration information to clients. Chances are you'll use DHCP for this, if you have a need to do so, although it's possible that OS X Server could use bootp for netboot clients.
Line 19. pop3 is a POPMail (Post Office Protocol Mail) server. In the file, Apple indicates that this service is not yet available. This server would potentially be used if you were running a mail server and installed a third-party POPMail server.
Line 20. imap4 is an IMAP mail server. Again, this service is not available as of the 10.2 release. This server would potentially be used if you were running a mail server and installed a third-party IMAP mail server.
Lines 26 “33. Provide a number of network and network-software diagnostic servers. Unless you are performing network diagnosis and specifically need these, leave them off. They do not cause any known security problems, but if you're not using them, they occupy resources needlessly.
Lines 34 and 35. Provide the time service. (Some servers require both stream and datagram connectivity, and these must be defined on separate lines.) If you want your machine to be a time server, these can be turned on.
Lines 39 “42. Start a number of Kerberos (security authentication) “ related servers, but most are unavailable from Apple as of the 10.2 release. The krb5_prop service (starting kpropd ) is the server that propagates a master Kerberos server's database to slave servers.
Line 46. The rstatd daemon allows systems to connect through the network and get machine status information.
Line 47. The rusersd daemon allows systems to connect through the network and to find information about this system's users. This is generally considered to be a Bad Idea.
Line 48. The walld daemon enables users to write to the screens of all users on the system. This facility is nice if you're root and need to tell your users that the machine is going to go down for maintenance. It's annoying if one of your users starts using it to incessantly ask anyone connected to the machine for help with trivial Unix problems.
Line 49. The pcnfsd daemon provides service for a PC network file system product named pcnfs . Almost everybody uses samba instead nowadays.
Line 50. The rquotad daemon provides disk quota information to remote machines, so that they can enforce quotas that your machine specifies on disks that it is serving to them.
Line 51. sprayd is another network diagnostic server. Simply put, it responds, as rapidly as it can, to packets placed on the network by some other machine's spray process, which places packets on the network as fast as it can. This one would be nice if Apple provided it in a later release because it can be very useful for finding problem hardware in your network.
Line 56. The rexecd daemon allows for the remote execution of parts of programs. Apple claims that it isn't known to be useful, but a programmer can make very good use of this service to perform distributed processing tasks by sending parts of programs to many different machines. Of course, it is also a security risk.
Line 57. Another service that Apple considers to be of no practical use. The identd daemon provides a method for a remote machine to verify the identity of a user causing a connection, inasmuch as any identity can be verified over the network. The service was created because it is very easy for a user accessing, for example, a remote FTP site, to pretend to be a different user on your system, and potentially cause trouble for the person he is pretending to be.
The network services defined in /etc/inetd.conf or in /etc/xinetd.d/ run from the ports specified in the /etc/services file. The /etc/services file defines the port numbers in three sections: Well Known Port Numbers, Registered Port Numbers, and Dynamic and/or Private Ports. Currently the Internet Assigned Numbers Authority (IANA), http://www.iana.org/, coordinates port assignments. The assignments used to be maintained in an RFC, but as the Internet grew, the RFC was replaced by IANA. If you decide to run a service from inetd or xinetd on a nonstandard port, update your /etc/services file to include a port number and service name. You might check IANA for the last port assignment information. However, if you decide to run a service on a port that officially is used for another service, you won't experience any problems unless you are also trying to run the service that is supposed to run on that port. If you should end up having to run a service on a nonstandard port, the only one who will be confused is the attacker probing your machine.
Some services start from /System/Library/StartupItems at boot time. Unlike the types of services that are controlled by inetd , these services are most efficient if they are running all the time. These services are root-owned daemon processes that run continuously, listening for connections and forking off new client-handling processes under restricted privileges. inetd and xinetd are two such services. Some of these services have additional controls in the /etc/hostconfig file that the startup scripts check. For example, the SSH server, the AppleShare server, and the mail server are controlled in such a fashion.
If you enabled those services, but later decide to disable them, set the appropriate /etc/hostconfig variable to -NO- and kill their current processes. The next time you reboot, the services won't start. To manually start one of those services, set the appropriate variable in /etc/hostconfig to -YES- and manually execute the startup script. How this is done depends on the startup script. For some, using SystemStarter ( SystemStarter start <path-to-service-directory> ) may be appropriate. For others, passing the start action to the script ( <startup script> start ) might work instead. For others, simply executing the startup script without passing the start action is sufficient. For example, for the SSH server, you would make the SSHSERVER line in /etc/hostconfig read SSHSERVER=-YES- . Then you would execute /System/Library/StartupItems/SSH/SSH . To disable a service that doesn't have a control in /etc/hostconfig , simply rename the startup script and kill its process.
Some third-party packages put startup scripts in /Library/StartupItems . To disable a service whose startup script is located in this directory, rename the startup script or the directory it is in and kill its process.