Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

inetd(1M)

hosts(4)

inetd.conf(4)

networks(4)

protocols(4)

rpc(4)

services(4)

INETD.SEC(4)  —  Series 300 and 800 Only

NAME

inetd.sec − optional security file for inetd

DESCRIPTION

When inetd(1M) accepts a connection from a remote system, it checks the address of the host requesting the service against the list of hosts allowed or denied to use the specific service. The file inetd.sec allows the system administrator to determine how many remote users can simultaneously start remote services in the local system and which hosts (or networks in general) are allowed to remotely use the system.  This file constitutes an extra layer of security, beyond the normal checks done by the services.  It precedes the security of the servers; that is, a server will not be started by the internet daemon unless the host requesting the service is a valid host according to inetd.sec. 

If inetd.sec is not found in the /usr/adm directory, the security is only that implemented by the servers.  Inetd.sec and the directory /usr/adm should be writable only by their owners.  Changes to inetd.sec apply to any subsequent connections. 

Comments in inetd.sec have a ‘#’ at the beginning of the line.  They are not allowed at the end of a line of data. 

The first line of data in the file contains the number of remote services that can be started simultaneously.  It is not necessary to define MAXNUM.  If this line is not present MAXNUM is defined as 1000.  The format of that line is:

MAXNUM     number

where MAXNUM is a keyword and number is the maximum number of simultaneous remote services allowed.  MAXNUM can be separated from number by any number of blanks and/or tabs. 

The other lines in the file contain a service name, permission field, and the internet addresses or official names of the hosts and/or networks allowed to use that service in the local host.  The fields of this line are as follows:

<service name> <allow/deny> <host/net addresses, host/net names>

Service name is the name (not alias) of a valid service in the file /etc/services.  The service name for RPC-based services (NFS) is the name (not alias) of a valid service in the file /etc/rpc.  A service name in /etc/rpc corresponds to a unique RPC program number. 

Allow/deny determines if the list of remote hosts in the next field is allowed or denied to use a service.  If there is more than one allow/deny line for a particular service, all but the first line will be ignored. 

The addresses and names are separated by white spaces.  Any mix of addresses and names is allowed.  A line can be continued if it terminates with ‘\’. 

The addresses are the official internet addresses of the hosts or networks as used in such files as /etc/hosts.  A wildcard character ‘∗’ and a range character ‘−’ are allowed.  The ‘∗’ and the ‘−’ can be present in any of the fields of the address.  An address field is a string of characters separated by a ‘.’. 

EXAMPLES

A wildcard character permits a whole network, for example, to communicate with the local host without having to list all the hosts in that network. 

For example:

login           allow   10.∗  192.54.24.5

allows all the hosts with network addresses starting with a 10, as well as the single host with address 192.54.24.5, to use rlogin.

On a system running NFS,

sprayd          deny    192.54.24.5

denies the host 192.54.24.5 access to sprayd, an RPC-based server.

A range is a field containing a ‘-’ character.  For example:

shell           deny    10.3-5.*

does not allow hosts in network 10 (arpa) with subnets 3 through 5 to use remsh.

The names are the official names of the hosts as listed in /etc/hosts and the official names of the networks as listed in /etc/networks. 

For example, if “testlan” and “testhost” are entries in /etc/networks and /etc/hosts respectively, and “192.54.24.5” is a correct host address, then the following entry for rlogin is acceptable:

login           deny    192.54.24.5 testlan testhost

Access to the local host through rlogin from the above network and hosts will be denied. 

If a remote service is not listed in the security file or if it is listed but it is not followed by an allow or deny, then all remote hosts can attempt to use it.  The level of security is then that provided by the servers. 

For example, the following line in inetd.sec allows all hosts to use ftp:

ftp

To allow access to a service, for example, remsh to any host, the following line should be used in inetd.sec:

shell   allow

To deny access to a service to any host allow should be replaced with deny in the previous example. 

DEPENDENCIES

Implemented on the Series 300 and 800 only. 

AUTHOR

HP
NFS was developed by Sun Microsystems, Inc.

SEE ALSO

inetd(1M), hosts(4), inetd.conf(4), networks(4), protocols(4), rpc(4), services(4). 
 
 

Hewlett-Packard Company  —  May 11, 2021

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026