/etc/inetd.conf

Updated: April 19, 2023

Super-server configuration file (UNIX)

Name:

/etc/inetd.conf

Description:

The /etc/inetd.conf file is the default configuration file for the inetd (super-server) daemon.

Note:
  • As shipped, this file contains commented-out lines that describe all currently supported QNX Neutrino TCP/IP daemons and some nonstandard pidin services. If you want to use these daemons or services, edit /etc/inetd.conf and uncomment the appropriate lines. You can also add or remove daemon definitions if necessary.
  • If you start sshd via inetd, it changes the default configuration that PAM requires and PAM initialization fails. QNX recommends that you avoid this problem by not using inetd to launch sshd.

    Alternatively, in the inetd configuration file, replace references to in.sshd with sshd.

The file must have an entry in each of its fields, with each field separated by a tab or a space. Comments are denoted by a pound sign (#) at the beginning of a line.

The fields in the configuration file are:

[addr:]service-name | service-name/version
socket-type
protocol[,sndbuf=size][,rcvbuf=size]
wait|nowait[:max]
user[:group]
server-program
server program arguments

Here's a description of the arguments:

addr
The local host address that inetd uses when listening for a service. (Not applicable to RPC-based services.) A single asterisk character (*) indicates that it is to listen on all local addresses (INADDR_ANY).

When a line contains an address specifier and colon only (no service-name field is specified), the address specifier is assumed for all further lines until another line with an explicit address specifier appears, or until the end of the file is reached.

service-name
Name of a valid service in the /etc/services file, or a valid RPC service name from /etc/rpc.

For “internal” services (see server program arguments), the service name must be the official name of the service (i.e., the first entry in /etc/services).

version
The RPC version number. It can simply be a single numeric argument or a range of versions. A range is bounded by the low version to the high version (e.g., rusers/1-3).
socket-type
One of stream, dgram, or raw, depending on whether the socket is a stream, datagram, or raw socket.
protocol
A valid protocol; for example, tcp or udp from /etc/protocols.

If you need to specify an IP version explicitly, use protocols such as tcp4 (for IPv4) or udp6 (for IPv6). Protocols, such as tcp or udp, default to the current IP version (currently IPv4).

For RPC-based services, you must prefix the protocol with rpc/ (e.g., rpc/udp).

rcvbuf=size or sndbuf=size
Size of the send or receive buffer for the listening socket. This may be useful for the TCP protocol because the window scale factor, that's based on the receive socket buffer size, is advertised when the connection handshake occurs. Therefore, the socket buffer size for the server must be set on the listening socket. In some situations, you may realize better TCP performances when increasing the socket buffer sizes. The socket buffer sizes are specified by appending their values to the protocol specification as follows:
tcp,rcvbuf=16384
tcp,sndbuf=64k
tcp,rcvbuf=64k,sndbuf=1m

A literal value may be specified or modified using k (for kilobytes) or m (for megabytes). Socket buffer sizes may be specified for all services and protocols except for the TCP port service multiplexer (TCPMUX) services.

wait|nowait
Tell inetd if it should wait for the server program to return, or to continue processing connections on the socket. Sockets other than datagram sockets should have a nowait entry in this space. If a datagram server connects to its peer, freeing the socket so inetd can receive further messages on the socket, it's said to be a multi-threaded server and should use the nowait entry.

If a datagram server processes all incoming datagrams on a socket and eventually times out, that server is said to be single-threaded and should use a wait entry. The tftpd daemon is an exception; it's a datagram server that establishes pseudo-connections. It must be listed as wait in order to avoid a race; the server reads the first packet, creates a new socket, and then forks and exits to let inetd check for new service requests to spawn new servers.

Stream servers are usually marked as nowait, but if a single server process is to handle multiple connections, it may be marked as wait. The master socket is passed as fd 0 to the server, which then needs to accept the incoming connection. The server should eventually time out and exit when no more connections are active. The inetd daemon will continue to listen on the master socket for connections. The identd server is usually the only stream server marked as wait.

max
Maximum number of server instances that may be spawned from inetd within an interval of 60 seconds. If omitted, max defaults to 40 server instances.
user
Name of the user that the server runs as. This allows servers to be given less permission than root.
group
Allow servers to run with a different (primary) group ID than specified in the password file. If a group is specified and user isn't root, the supplementary groups associated with that user will still be set.

A group name is specified by appending a colon or dot (allowed for backwards compatibility) to the user name followed by the group name.

server-program
Pathname of the program that inetd executes when a request is found on inetd's socket. If the desired service is provided internally by inetd (e.g., see echo in the inetd utility page), this field would contain the word internal.
server program arguments
Any arguments to be passed to the server program. The name of the program is passed as argv[0]. If the server program field is internal, you can leave this field blank.

Setting the IPsec policy

You can specify the IPsec policy setting for each socket in a special comment line. A line that starts with the special comment #@ identifies the policy specifier, and the content of the comment line is treated as the IPsec policy string.

Valid policy settings for /etc/inetd.conf include:

direction bypass
direction entrust
direction ipsec request ...
Note: See “Setting the policy” in the IPsec protocols page for detailed descriptions of the arguments.

Multiple IPsec policy strings may be specified using semicolons as separators. If conflicting strings are found in a single line, the last string takes effect.

When a policy specifier is set with #@, all further lines in the /etc/inetd.conf configuration file are also affected. You can reset the IPsec policy by inserting a comment line without a policy string (i.e., a comment line containing #@ only).

If an invalid IPsec policy string appears in /etc/inetd.conf, inetd leaves error messages using syslog(), and terminates itself.

IPv6 TCP/UDP behavior

If you want to run a server for both IPv4 and IPv6 traffic, you'll need to run two separate processes for the same server program. You do this by adding two separate lines in inetd.conf, one for tcp4 and one for tcp6.

Under various combination of IPv4/v6 daemon settings, inetd behaves as follows:

If you have: IPv4 traffic: IPv6 traffic:
Only one server on tcp4 Routed to the server Isn't accepted
Two servers: one on tcp4 and one on tcp6 Routed to the server on tcp4 Routed to the server on tcp6
Only one server on tcp6 For certain configurations, may be routed to the tcp6 server (see the IP6 protocol page for details). Routed to the server on tcp6.

Examples:

The following is an example from a working inetd.conf file:

ftp  stream tcp nowait root  /usr/sbin/ftpd  in.ftpd -el

where:

ftp
Is the service name (see /etc/services).
stream
Is the socket type.
tcp
Is the protocol.
nowait
Is the wait/nowait entry.
root
Is the user.
/usr/sbin/ftpd
Is the server program.
in.ftpd
Is argv[0] (server program arguments).
-el
Is argv[1] (server program arguments).