HP-UX Reference (11i v1 00/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

141

142

143

144

145

146

147

148

149

150

__________________________________________________________________________________________________________________________________________________________________________________________________

STANDARD Printed by: Nora Chuang [nchuang] STANDARD

/build/1111/BRICK/man4/!!!intro.4

________________________________________________________________

___ ___

inetd.sec(4) inetd.sec(4)

NAME

inetd.sec - optional security ﬁle for inetd

DESCRIPTION

When inetd accepts a connection from a remote system, it checks the address of the host requesting the

service against the list of hosts to be allowed or denied access to the speciﬁc service (see inetd(1M)). The

ﬁle inetd.sec allows the system administrator to control which hosts (or networks in general) are

allowed to use the system remotely. This ﬁle constitutes an extra layer of security in addition to the nor-

mal checks done by the services. It precedes the security of the servers; that is, a server is not started by

the Internet daemon unless the host requesting the service is a valid host according to inetd.sec.

If ﬁle /var/adm/inetd.sec does not exist, security is limited to that implemented by the servers.

inetd.sec and the directory /var/adm should be writable only by their owners. Changes to

inetd.sec apply to any subsequent connections.

Lines in inetd.sec beginning with # are comments. Comments are not allowed at the end of a line of

data.

The lines in the ﬁle contain a service name, permission ﬁeld, and the Internet addresses or ofﬁcial names of

the hosts and networks allowed to use that service in the local host. The ﬁelds in each line are as follows:

<service name><allowdeny

><host/net addresses, host/net names>

service name is the name (not alias) of a valid service in ﬁle

/etc/services

. The service name for

RPC-based services (NFS) is the name (not alias) of a valid service in ﬁle

/etc/rpc. A service name in

/etc/rpc corresponds to a unique RPC program number.

allowdeny determines whether the list of remote hosts in the next ﬁeld is allowed or denied access to

the speciﬁed service. Multiple allowdeny lines for each service are not unsupported. If there are mul-

tiple allowdeny lines for a particular service, all but the last line are ignored.

Addresses and names are separated by white space. Any mix of addresses and names is allowed. To con-

tinue a line, terminate it with \.

Host names and network names are the ofﬁcial names of the hosts or networks as returned by

gethost-

byaddr()

or getnetbynumber()

, respectively. Wildcard characters (*) and range characters (-) are

allowed. The

* and the - can be present in any of the ﬁelds of the address. An address ﬁeld is a string of

characters separated by a dot (.).

EXAMPLES

Use a wildcard character to permit a whole network to communicate with the local host without having to

list all the hosts in that network. For example, to allow all hosts with network addresses starting with a

10, as well as the single host with address 192.54.24.5 to use rlogin:

On a system running NFS, deny host 192.54.24.5 access to sprayd, an RPC-based server:

sprayd deny 192.54.24.5

A range is a ﬁeld containing a - character. To deny hosts in network 10 (arpa) with subnets 3 through 5

access to remsh:

shell deny 10.3-5.*

The following entry denies rlogin access to host cory.berkeley.edu

, any hosts on the network

named

testlan, and the host with internet address 192.54.24.5 :

If a remote service is not listed in the security ﬁle, or if it is listed but it is not followed by allow or deny,

all remote hosts can attempt to use it. Security is then provided by the service itself. The following lines, if

present in

inetd.sec, allow or deny access to the service indicated:

Allow all hosts to use ftp:

ftp

Deny all access to the shell service; i.e., remsh:

shell deny

HP-UX Release 11i: December 2000 − 1 − Section 4−−135

___