Network services run from xinetd

in.ftpd—Insecure file transfer

imapd—Mail manipulation

rsync—File distribution

Slide 200: Examples of on-demand services

Thexinetdservice

Thexinetd program listens on a set of ports, each corresponding to a different service. When a connection is made to the port corresponding to a particular service (e.g. rsync),xinetdstarts up the daemon for that service (e.g.rsync --daemon) and passes the connection through to this child process.

Thexinetdprogram therefore needs to be told what ports to listen to and what programs it should launch to handle the requests. It is given this information in the configuration file/etc/xinetd.conf. This file simply sets some defaults and includes the contents of the/etc/xinetd.d directory. This directory then has one file per service thatxinetdwill be supporting.

#

# Simple configuration file for xinetd #

# Some defaults, and include /etc/xinetd.d/ defaults

instances = 60

log_type = SYSLOG authpriv log_on_success = HOST PID

log_on_failure = HOST

cps = 25 30

includedir /etc/xinetd.d

Slide 201: The file/etc/xinetd.conf

# default: off

# description: The rsync server is a good addition to am ftp server, as it \ # allows crc checksumming etc.

service rsync disable = yes socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID

Slide 202: The file/etc/xinetd.d/rsync

instances Number of daemons

log type,log on success,log on failure Logging

cps Connections per second

disable Is this service turned off?

socket type,flags Network options

wait Shouldxinetdwait for this service to end before starting another?

user,group Who the service should run as

server The program that runs the service

server args Options passed to the program

The/etc/xinetd.d/files

The/etc/xinetd.d/files have a fairly simple format: blank lines are ignored and the “#” character is a comment character. A service is identified by name followed by its changes or additions to the default settings in curly brackets.

We’ll consider the/etc/xinetd.d/telnetfile as a simple example to get us going. First we consider the defaults defined in/etc/xinetd.conf.

instances = 60

At most 60 instances of the telnet daemon should be run at once.

log type = SYSLOG authpriv

Logging should be via the system logger with the “privileged authentication information” facility.

log on success = HOST PID

If the connection attempt is successful, log the originating hostname and the process id of the launched daemon.

log on failure = HOST

If the connection attempt is unsuccessful, log the originating host.

This is then modified by the/etc/xinetd.d/rsyncfile’s contents:

socket type = stream

This says that the connection should be a TCP connection because it will be streaming data across the network. Settingsocket typetodgramwill get a UDP (unreliable datagram) service.

wait = no

Some child processes can act as master servers in their own rights. In this case,xinetdcan be used to launch that first one but should then not launch any more until the one it launched has died off. This would be called waiting for the child. The telnet daemon is not one of these services so we do not wait for it.

user = root

The service should be run as userroot. There is a correspondinggroupoption to set the child process’ group.

server = /usr/bin/rsync

This is where the program is that actually runs the service.

server args = --daemon

These are the options passed to the program, so the commabnd that will be run isrsync --daemon.

log on failure += USERID

In addition to the defaultlog on failureoptions, also log the userid quoted for any failed connection. Note the use of+=to add to the connections. Simply using=would have overridden the previous ones. You can use-=to remove individual options too.

disable = yes

Whether the service should be disabled, i.e. not actually offered.

Making changes to/etc/xinetd.conf

Thexinetdreads its configuration file,/etc/xinetd.conf, and the configuration directory,/etc/xinetd.d/, when it is launched and when it receives the HUP signal. Signals are sent using thekillallcommand which sends a signal to all running processes of a particular name as shown in slide 204. The slide also shows the “manual” version for comparison and the use of the “reload” option of theinetstartup script. Many daemons’ startup scripts have extra options to reload configuration files or to restart fresh versions of their daemons.

# killall -HUP xinetd

# ps -ef | grep xinetd | grep -v grep

root 438 1 0 Nov10 ? 00:00:00 xinetd # kill -HUP 438

# /etc/init.d/xinetd reload

Slide 204: Three ways to send a HUP signal to the runningxinetd

# grep disable /etc/xinetd.d/rsync disable = yes

# chkconfig rsync on

# grep disable /etc/xinetd.d/rsync disable = no

# chkconfig rsync off

# grep disable /etc/xinetd.d/rsync disable = yes

Slide 205: Disabling anxinetdservice

Disabling anxinetdservice

Typically the change you want to make is to switch the disablement fromyestonoor vice versa. This can be done withchkconfigor an editor. There is no mention of runlevels in this call of the program. Ifxinetdis running at a particular runlevel then so are all the services in/etc/xinetd.dwithdisable = no.