Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

inetd(1M)

gethostent(3N)

getnetent(3N)

hosts(4)

inetd.conf(4)

networks(4)

protocols(4)

rpc(4)

services(4)

inetd.sec(4)

Requires Optional LAN/X.25 Software

NAME

inetd.sec − optional security file for inetd

DESCRIPTION

When inetd(1M) accepts a connection from a remote system, it checks the address of the host requesting the service against the list of hosts allowed or denied to use the specific service. The file inetd.sec allows the system administrator to determine how many remote users can simultaneously start remote services in the local system and which hosts (or networks in general) are allowed to use the system remotely.  This file constitutes an extra layer of security in addition to the normal checks done by the services.  It precedes the security of the servers; that is, a server will not be started by the internet daemon unless the host requesting the service is a valid host according to inetd.sec. 

If there is no file /usr/adm/inetd.sec, the security is only that implemented by the servers.  Inetd.sec and the directory /usr/adm should be writable only by their owners.  Changes to inetd.sec apply to any subsequent connections. 

Lines in inetd.sec beginning with ‘#’ are comments.  Comments are not allowed at the end of a line of data. 

The first line of data in the file can define MAXNUM, the number of remote services that can be started simultaneously.  The format is:

MAXNUM     number

where MAXNUM is a keyword and number is the maximum number of simultaneous remote services allowed.  MAXNUM can be separated from number by any number of blanks and/or tabs.  If MAXNUM is not defined, it defaults to 1000. 

The other lines in the file contain a service name, permission field, and the internet addresses or official names of the hosts and/or networks allowed to use that service in the local host.  The fields of this line are as follows:

<service name> <allow/deny> <host/net addresses, host/net names>

Service name is the name (not alias) of a valid service in the file /etc/services.  The service name for RPC-based services (NFS) is the name (not alias) of a valid service in the file /etc/rpc.  A service name in /etc/rpc corresponds to a unique RPC program number. 

Allow/deny determines if the list of remote hosts in the next field is allowed or denied to use a service.  If there is more than one allow/deny line for a particular service, all but the first line will be ignored. 

The addresses and names are separated by white spaces.  Any mix of addresses and names is allowed.  A line can be continued if it terminates with ‘\’. 

The host names and network names are the official names of the hosts or networks as returned by gethostbyaddr or getnetbynumber, respectively. A wildcard character ‘∗’ and a range character ‘−’ are allowed. The ‘∗’ and the ‘−’ can be present in any of the fields of the address. An address field is a string of characters separated by a ‘.’.

EXAMPLES

A wildcard character permits a whole network, for example, to communicate with the local host without having to list all the hosts in that network. 

For example:

login           allow   10.∗  192.54.24.5

allows all the hosts with network addresses starting with a 10, as well as the single host with address 192.54.24.5, to use rlogin.

On a system running NFS,

sprayd          deny    192.54.24.5

denies the host 192.54.24.5 access to sprayd, an RPC-based server.

A range is a field containing a ‘−’ character.  For example:

shell           deny    10.3−5.∗

does not allow hosts in network 10 (arpa) with subnets 3 through 5 to use remsh.

The following entry would deny rlogin access to the host “cory.berkeley.edu,” any hosts on the network named “testlan,” and the host with internet address “192.54.24.5”:

login           deny    192.54.24.5 cory.berkeley.edu testlan

If a remote service is not listed in the security file, or if it is listed but it is not followed by allow or deny, then all remote hosts can attempt to use it.  The service then provides its own level of security. 

For example, the following line in inetd.sec allows all hosts to use ftp:

ftp

The following line in inetd.sec would deny all access to the shell service, i.e.  remsh(1):

shell   deny

If deny were replaced by allow, access by any host would be permitted. 

AUTHOR

inetd.sec was developed by HP. 
NFS was developed by Sun Microsystems, Inc. 

SEE ALSO

inetd(1M), gethostent(3N), getnetent(3N), hosts(4), inetd.conf(4), networks(4), protocols(4), rpc(4), services(4). 

Hewlett-Packard Company  —  HP-UX Release 8.05: June 1991

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026