NAME
rlinetd.conf - rlinetd configuration file
DESCRIPTION
rlinetd.conf holds configuration information for rlinetd. There are a
small number of similar top level constructs, differing chiefly in
which options can be meaningfully used with them.
All strings are quoted with the " character. In some situations (e.g..
the log, exec, and chroot directives), there are a number of variables
that can be substituted into the string.
Unless stated otherwise, all numbers must be positive.
service "name" {
...
}
This construct describes a service. The name parameter is for
naming convenience alone, it simply serves to distinguish
logging messages and provides a default for options which can
logically accept a name as an argument.
enabled
This construct allows easily enabling or disabling
service. The argument can be either yes or no. The
default value is yes. Setting this to no disables
service.
Example:
enabled no;
port
This lists the ports that the service should be made
available on. The ports can be listed in either string or
numeric format. If unspecified, this defaults to the name
of the service unless the service is an RPC service, in
which case the port value will be dynamically assigned by
the system.
Example:
port "telnet", "rcmd", 56, 99;
interface
This specifies which interfaces the listed ports should
be bound on. It takes a list of IP addresses as an
argument, corresponding to the configured addresses of
the interfaces required. If unspecified, this defaults to
INADDR_ANY and will bind to all available interfaces.
Example:
interface 192.168.1.1, 192.168.1.2;
exec
This specifies the invocation of the service. A number of
substitutions can be made within the string; please see
String Modifiers below.
Example:
exec "/usr/sbin/in.telnetd -d";
server
This specifies the binary to be executed, if different to
exec.
Example:
server "/usr/sbin/tcpd";
protocol
This specifies the socket protocol to use when listening
on ports for the service. The argument can be either tcp
or udp. The default setting for this variable is tcp.
Example:
protocol tcp;
user
This specifies the userid under which this service should
run. It will accept an argument in either symbolic or
numeric form. Unless group (see below) is given, the
groupid is also set to the user’s primary group.
Example:
user "nobody";
group
This specifies the groupid under which this service
should run. It will accept an argument in either symbolic
or numeric form.
Example:
group "system";
backlog
This is the backlog argument which will be passed to the
listen(2) system call.
Example:
backlog 30;
instances
This specifies the maximum number of service instances
that can be running at any one time. The default setting
for this variable is 40.
Example:
instances 50;
wait
This directive emulates the inetd(8) wait behaviour. The
argument can be either yes or no. The default value is
no. Setting this to yes also resets the value of
instances option to 1.
Example:
wait yes;
nice
This specifies the process priority to run this service
at. The argument is passed directly to the setpriority(2)
system call. The value may be negative.
Example:
nice -5;
rpc
This specifies that the service should be registered with
the system’s portmap(8) mapper as an RPC service. It
accepts a list of arguments as follows.
rpc {
name "string"; version 3,6,9-15,22;
}
The name parameter is optional, and defaults to the
service name.
chroot
This specifies the root directory for the service. The
string argument can accept modifiers as detailed in
String Modifiers below.
Example:
chroot "/tftpboot/%O";
log
This directive takes two arguments. The first must be
either the symbolic name of a previously specified log
directive (see below), or the unquoted word syslog. If
the latter, the message will be logged via the syslog(3)
call. The second argument is the message that will be
logged, subject to the modifiers detailed in String
Modifiers below.
Example:
log syslog "Service from %O complete";
tcpd
This directive causes access controls as specified by
tcp_wrappers to be applied. This has the same effect as
invoking a service with a server argument of
/usr/sbin/tcpd .or wherever your tcpd(8) program is
kept), but saves the additional step of starting the
program. It will accept up to two additional arguments.
The first is a service name to apply against its rules,
and the second is a block of instructions to execute if
matched. If no name is specified, it defaults to the name
of the service. If the instruction block is not
specified, it defaults to ’exit;’.
Examples:
tcpd "in.telnetd";
tcpd { exec "/usr/local/bin/winnuke %O"; }
tcpd "pointless" { echo "Hi guys, come on in."; }
tcpd "defiant" { echo "500 Access denied from %O."; exit; }
exit
This directive is only useful in an instruction block
argument to the tcpd directive. Note well - not using it
(and not specifying some other terminating directive,
such as exec) will result in the service being run
forever.
Example:
exit;
capability
This directive specifies the capabilities that this
service should have when running. The argument is a
string that is passed directly to cap_from_text(3). I
know, that’s a pretty lousy description, but this feature
is of limited utility until and unless you read the
README.capabilities file anyway.
Example:
capability "cap_setuid=ep";
rlimit
This directive takes two arguments. The first is a symbol
specifying the type of limit required. These are listed
below. The second argument takes one of two forms. It can
either be a single numeric value, in which case both of
the soft and hard limits of the resource in question will
be set to this value. Alternatively, it can be a list in
the form:
rlimit type {
soft x; hard y;
}
In which case the hard and soft limits will be set
appropriately. In either case, the word unlimited can be
specified instead of a numeric value, thus removing any
restriction. The values are passed directly to the
setrlimit(2) syscall, and should be specified in that
context.
Types:
cpu, fsize, data, stack, core, rss, nproc, nofile,
memlock
Example:
rlimit cpu 15;
initgroups
The argument can be either yes or no. This directive
causes initgroups(3) to be called at service startup,
which sets the supplementary groups of the service
according to the /etc/group file.
Example:
initgroups yes;
family
This directive specifies the protocol family that rlinetd
should bind sockets on for this service. Currently, this
can be either ipv4 or ipv6. If unspecified, this
defaults to something appropriate for the system.
Example:
family ipv6;
banner
This directive lets you dump a file as output to a
connection.
Example:
banner "/etc/nologin";
echo
This directive allows you to output a dynamically
generated line to the connection.
Example:
echo "500 Service denied from your IP (%O)";
filter
This directive allows you to specify a Linux Socket
Filter program to be associated with the listening
socket. These can be generated with a tool such as
lsfcc(1)
Example:
filter "/usr/local/lib/rlinetd/filters/privport";
chargen
This directive loops eternally, outputting data to any
connection. If no argument is given, it echoes a subset
of the printable characters. However, a filename can be
supplied as an argument, in which case the contents of
that file are output in a loop.
Example:
chargen "/usr/local/lib/spam";
log "name" {
...
}
This construct describes a logging target. The name parameter is
used as an argument to the log directive in service
configurations.
path
This specifies the filename for this logfile.
Example:
path "/var/log/service.log";
mode
This specifies the file permissions for the logfile. The
argument is required to be numeric, and defaults to 0640
if not specified.
Example:
mode 0600;
user
This specifies the uid of the logfile, and can be
specified as either a numeric uid, or username.
Example:
user "adm";
group
This specifies the gid of the logfile, and can be
specified as either a numeric gid, or groupname.
Example:
group "adm";
defaults {
...
}
This construct takes the same parameters as a service
declaration, but instead of specifying a service sets defaults
for all services specified subsequently.
directory "path" "match" "ignore";
This construct specifies a directory which contains additional
configuration files to be parsed. Parsing of these additional
files does not commence until the current file is complete. The
match and ignore arguments are optional, and if specified, are
used to filter the files in the directory. Filenames must match
the match regexp, if given, and must not match the ignore
regexp, if given. Filenames beginning with a period (’.’) are
skipped in all cases. Directories are not recursed into.
String Modifiers
There are a number of variables which can be substituted into arguments
to some directives. Although they can all be used in the same places,
the information accessed by some is unavailable in certain cases.
%O The source IP address of the connection.
%P The source port of the connection.
%C The total CPU time used.
%U The user CPU time used.
%S The system CPU time.
%r Maximum resident set size.
%m Shared memory size.
%d Unshared data size.
%s Unshared stack size.
%f Page reclaims.
%F Page faults.
%p Swaps.
%i Block input operations.
%o Block output operations.
%n Messages sent.
%c Messages received.
%k Signals received.
%w Voluntary context switches.
%w Involuntary context switches.
%e Exit code.
%t Running time.
%M The current time expressed as seconds since epoch 1980, dumped
as a network order 32 bit word. This has absolutely no use other
than in implementing the inetd-like time functionality.
%I The current time and date, in pretty-printed ctime(3) format.
SEE ALSO
rlinetd(8), hosts_access(5)
AUTHOR
This manual page was written by Mikolaj J. Habryn <dichro-doc@rcpt.to>.
Modified by Robert Luberda <robert@debian.org>.