30.2 Starting Internet Services


The network services can be started in one of two ways. In the first case, a service daemon is started at boot time with the help of rc scripts. These scripts are stored in the /sbin/init.d directory and are linked to startup and shutdown scripts in the /sbin/rc n .d directories where n shows a system run level. Configuration files for these scripts are present in the /etc/rc.config.d directory. Management of startup and shutdown scripts has already been discussed in Chapter 14.

The second method of starting a service is through the inetd daemon. It is also called a TCP wrapper and listens for a number of network ports, depending on network services enabled through it. When a connection request arrives at a particular port, it starts a server process, depending on its configuration file entry for that service.

Starting a Service as a Daemon

Server daemons are started with the help of the /sbin/rc script. This is executed during the system startup process. It scans the /sbin/rc n .d directories at each system run level, where n in the directory name represents a run level. Each of these directories contains link files associated with actual scripts in the /sbin/init.d directory. These link files start with either letter S or K . A link file name starting with S shows that the service is being started at this run level, while a link file name starting with K shows that the service is being stopped when the system moves into this run level. For example, file S370named in directory /sbin/rc2.d is linked to the /sbin/init.d/named file. It shows that script /sbin/init.d/named will be run when the system enters into run level 2. This script starts the domain name server daemon used to resolve host names .

When a daemon is started, it binds itself to its designated port and starts listening to incoming connection requests on that port. Any client on the network can then send a request at that port and start communication with the server process.

Starting a Service through inetd

The inetd daemon is started at run level 2. It listens to incoming connection requests for many services. When a request arrives at a certain port, it invokes the server process corresponding to that port and starts listening to the port again. At startup time, the inetd daemon reads its configuration file, /etc/inetd.conf , that contains a list of the services to be served by inetd . This file contains one line for each service. A line starting with the # character is considered a comment line. A typical entry for telnet service in this file is as follows .

 telnet   stream tcp nowait root /usr/lbin/telnetd  telnetd 

Each line contains seven fields as listed next . These fields show how the service will behave and what server process will be invoked.

Service Name This is the name of the service as mentioned in the /etc/services or /etc/rpc file. In the telnetd example above, the service name is telnet .
Socket Type This is either stream or dgram . This shows the type of socket used for the service. In the above-mentioned example, the socket type is stream . The stream type socket is used with the TCP protocol and the dgram type socket is used with the UDP protocol.
Protocol The list of protocols as present in /etc/protocols . This shows the protocol used for the service. The protocol used for telnet service is TCP.
Wait/nowait The wait applies for dgram sockets only. For stream-based sockets, nowait is used. This is used to configure a service as a single-threaded or multithreaded service. The wait keyword causes inetd to wait until any previously started server process finishes. When the previous instance finishes, then inetd starts listening to the port again, thus causing a service to be activated as single threaded. With a nowait keyword, inetd starts the server process for an incoming request and immediately starts listening to the port again. If a second request arrives while the first server instance is still running, another instance of the server process is started. Usually UDP-based services use wait , whereas TCP services use nowait .
User This is the name of the user who will be the owner of the server process.
Server Program The complete path to the server program file.
Arguments This last field contains a list of arguments to be passed to the server program. The first argument is the program name itself.

A sample /etc/inetd.conf file is shown next where you can find a list of services invoked with the help of the inetd daemon. An entry can be continued to the next line by using a backslash character at the end of a line. Lines starting with the # character are comments.

 # @(#)inetd.conf $Revision: $ $Date: 97/09/10 14:50:49 $ # # See the inetd.conf(4) manual page for more information. # #       ARPA/Berkeley services # ftp          stream tcp nowait root /usr/lbin/ftpd      ftpd -l telnet       stream tcp nowait root /usr/lbin/telnetd  telnetd # Before uncommenting the "tftp" entry below, please make sure # that you have a "tftp" user in /etc/passwd. If you don't # have one, please consult the tftpd(1M) manual entry for # information about setting up this service. tftp        dgram  udp wait   root /usr/lbin/tftpd    tftpd\         /opt/ignite\         /var/opt/ignite #bootps      dgram  udp wait   root /usr/lbin/bootpd   bootpd #finger      stream tcp nowait bin  /usr/lbin/fingerd  fingerd login        stream tcp nowait root /usr/lbin/rlogind  rlogind shell        stream tcp nowait root /usr/lbin/remshd   remshd exec         stream tcp nowait root /usr/lbin/rexecd   rexecd #uucp        stream tcp nowait root /usr/sbin/uucpd    uucpd ntalk        dgram  udp wait   root /usr/lbin/ntalkd   ntalkd ident        stream tcp wait   bin  /usr/lbin/identd   identd printer      stream tcp nowait root /usr/sbin/rlpdaemon  rlpdaemon -i daytime      stream tcp nowait root internal daytime      dgram  udp nowait root internal time         stream tcp nowait root internal #time        dgram  udp nowait root internal echo         stream tcp nowait root internal echo         dgram  udp nowait root internal discard      stream tcp nowait root internal discard      dgram  udp nowait root internal chargen      stream tcp nowait root internal chargen      dgram  udp nowait root internal ## #       rpc services, registered by inetd with portmap #       Do not uncomment these unless your system is running portmap! ## # WARNING: The rpc.mountd should now be started from a startup script. #          Please enable the mountd startup script to start rpc.mountd. ## #rpc  stream tcp  nowait  root  /usr/sbin/rpc.rexd     100017  1   rpc.rexd #rpc  dgram  udp  wait    root  /usr/lib/netsvc/rstat/rpc.rstatd   100001    2-4 rpc.rstatd #rpc  dgram  udp  wait    root  /usr/lib/netsvc/rusers/rpc.rusersd  100002   1-2 rpc.rusersd #rpc  dgram  udp  wait    root  /usr/lib/netsvc/rwall/rpc.rwalld   100008   1 rpc.rwalld #rpc  dgram  udp  wait    root  /usr/sbin/rpc.rquotad  100011  1   rpc.rquotad #rpc  dgram  udp  wait    root  /usr/lib/netsvc/spray/rpc.sprayd   100012   1 rpc.sprayd ## # #  The standard remshd and rlogind do not include the Kerberized #  code. You must install the InternetSvcSec/INETSVCS-SEC fileset and #  configure Kerberos as described in the SIS(5) man page. # ## kshell stream tcp nowait root /usr/lbin/remshd remshd -K klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K 

The /etc/services file maps service names to corresponding port numbers and protocols used for that port. The services mentioned in this file are well known. When the inetd daemon reads its configuration file, /etc/inetd.conf , and decides which services to start, it consults the /etc/services file to determine ports for each of these services. A sample file is shown next. Following the port number and protocol, an alias may be specified for the service.

 # @(#)services $Revision: $ $Date: 97/09/10 14:50:42 $ # The form for each entry is: # <official service name>  <port number/protocol name>  <aliases> tcpmux         1/tcp                 # TCP port multiplexer (RFC 1078) echo           7/tcp                 # Echo echo           7/udp                 # discard        9/tcp  sink null      # Discard discard        9/udp  sink null      # systat        11/tcp  users          # Active Users daytime       13/tcp                 # Daytime daytime       13/udp                 # qotd          17/tcp  quote          # Quote of the Day chargen       19/tcp  ttytst source  # Character Generator chargen       19/udp  ttytst source  # ftp-data      20/tcp                 # File Transfer Protocol (Data) ftp           21/tcp                 # File Transfer Protocol (Control) telnet        23/tcp                 # Virtual Terminal Protocol smtp          25/tcp                 # Simple Mail Transfer Protocol time          37/tcp  timeserver     # Time time          37/udp  timeserver     # rlp           39/udp  resource       # Resource Location Protocol whois         43/tcp  nicname        # Who Is domain        53/tcp  nameserver     # Domain Name Service domain        53/udp  nameserver     # bootps        67/udp                 # Bootstrap Protocol Server bootpc        68/udp                 # Bootstrap Protocol Client tftp          69/udp                 # Trivial File Transfer Protocol rje           77/tcp  netrjs         # private RJE Service finger        79/tcp                 # Finger http          80/tcp  www            # World Wide Web HTTP http          80/udp  www            # World Wide Web HTTP link          87/tcp  ttylink        # private terminal link supdup        95/tcp                 # hostnames    101/tcp  hostname       # NIC Host Name Server tsap         102/tcp iso_tsap iso-tsap # ISO TSAP (part of ISODE) pop          109/tcp postoffice pop2 # Post Office Protocol - Version 2 pop3         110/tcp  pop-3          # Post Office Protocol - Version 3 portmap      111/tcp  sunrpc         # SUN Remote Procedure Call portmap      111/udp  sunrpc         # ident        113/tcp  authentication # RFC1413 sftp         115/tcp                 # Simple File Transfer Protocol uucp-path    117/tcp                 # UUCP Path Service nntp         119/tcp  readnews untp  # Network News Transfer Protocol ntp          123/udp                 # Network Time Protocol netbios_ns   137/tcp                 # NetBIOS Name Service netbios_ns   137/udp                 # netbios_dgm  138/tcp                 # NetBIOS Datagram Service netbios_dgm  138/udp                 # netbios_ssn  139/tcp                 # NetBIOS Session Service netbios_ssn  139/udp                 # bftp         152/tcp                 # Background File Transfer Protocol snmp         161/udp  snmpd      # Simple Network Management Protocol Agent snmp-trap    162/udp  trapd      # Simple Network Management Protocol Traps bgp          179/tcp                 # Border Gateway Protocol biff         512/udp  comsat         # mail notification exec         512/tcp                 # remote execution, passwd required login        513/tcp                 # remote login who          513/udp  whod           # remote who and uptime shell        514/tcp  cmd            # remote command, no passwd used syslog       514/udp                 # remote system logging printer      515/tcp  spooler        # remote print spooling talk         517/udp                 # conversation ntalk        518/udp                 # new talk, conversation route        520/udp  router routed  # routing information protocol efs          520/tcp                 # Extended file name server timed        525/udp  timeserver     # remote clock synchronization tempo        526/tcp  newdate        # courier      530/tcp  rpc            # conference   531/tcp  chat           # netnews      532/tcp  readnews       # netwall      533/udp                 # Emergency broadcasting uucp         540/tcp  uucpd          # uucp daemon 

<Some data deleted from here>


To add security to the inetd daemon, the /var/adm/inetd.sec file is used. This file provides an extra layer of security for services started with inetd . This is in addition to security implemented by a service itself. The inetd daemon can selectively allow or deny access to other hosts using the /var/adm/inetd.sec file. The following rules apply to this file.

  • If this file does not exist, all hosts are granted access to start an inetd service.

  • If this file exists but is empty, access to all inetd services is allowed.

  • If the file exists and contains some of the service names in the specified format, only access to listed services is allowed.

Each line in the file starts with a service name followed by the allow or deny keyword. After that, a host specifier is present that may contain a host name or an IP address. Multiple host names can be separated by spaces. Wild cards can be used in IP addresses. Consider the following line in this file as an example.

 ftp    allow   192.168.2.* hp0 

This line grants FTP access for all hosts in network 192.168.2 and the host with the name hp0 . A sample /var/adm/inetd.sec file is shown next.

 login         allow   10.3-5 ahost anetwork # # The above entry allows the following hosts to attempt to access your system # using rlogin: #               hosts in subnets 3 through 5 in network 10, #               the host with an Internet Address of, #               the host by the name of "ahost", #               all the hosts in the network "anetwork" # mountd      deny # # The mountd entry  denies host  access to the NFS  rpc.mountd # server. # # Hosts and network names must be official names, not aliases. # See the inetd.sec(4) manual page for more information. 

Table 30-3 lists configuration and security files used for Internet services and a short description of each.

Table 30-3. Configuration Files for ARPA/Berkeley Services
File Name Description
/etc/inetd.conf Configuration file for the inetd daemon
/etc/services Lists service names and ports/protocols used with these services
/var/adm/inetd.sec Security file to add an extra layer of security for inetd
/etc/hosts.equiv Host equivalency file used to allow or deny access for specific services
$HOME/.rhosts User-defined file used to allow or deny incoming network requests

How a Connection Is Established

Before actual data communication starts, the client and server establish a communication session. If the server process is started as a daemon at boot time, it listens to its well-defined port for any incoming connection. If the server process is controlled by inetd , the inetd daemon reads its /etc/inetd.conf file configuration, gets the port number for all services from the /etc/services file, and starts listening to all of these ports. As soon as a connection request is received on a port, the inetd daemon starts the corresponding service daemon.

On the client side, when you start a client, for example, telnet , it does not need to know the port name for the server process on the server host as it is already defined. It opens a socket on an available port number, usually larger than 1024 on the client side, and tries to connect to the server port (Port number 23 in the case of telnet ). After accepting the incoming connection, a session is established between client and server and data communication starts, depending on the protocol used. A list of open network ports and established socket connections may be displayed using the netstat -a command.


HP Certified
HP Certified: HP-UX System Administration
ISBN: 0130183741
EAN: 2147483647
Year: 2000
Pages: 390
Authors: Rafeeq Rehman

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net