HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)
i
inetd.sec(4) inetd.sec(4)
NAME
inetd.sec - optional security file for inetd
DESCRIPTION
When
inetd accepts a connection from a remote system, it checks the address of the host requesting the
service against the list of hosts to be allowed or denied access to the specific service (see inetd (1M)). The
file
inetd.sec allows the system administrator to control which hosts (or networks in general) are
allowed to use the system remotely. This file constitutes an extra layer of security in addition to the nor-
mal checks done by the services. It precedes the security of the servers; that is, a server is not started by
the Internet daemon unless the host requesting the service is a valid host according to
inetd.sec.
If file
/var/adm/inetd.sec
does not exist, security is limited to that implemented by the servers.
inetd.sec and the directory /var/adm should be writable only by their owners. Changes to
inetd.sec apply to any subsequent connections.
Lines in
inetd.sec beginning with # are comments. Comments are not allowed at the end of a line of
data.
The lines in the file contain a service name, permission field, and the Internet addresses or official names
of the hosts and networks allowed to use that service in the local host. The fields in each line are as fol-
lows:
<service name><
allowdeny><host/net addresses, host/net names >
service name is the name (not alias) of a valid service in file
/etc/services
. The service name for
RPC-based services (NFS) is the name (not alias) of a valid service in file
/etc/rpc. A service name in
/etc/rpc corresponds to a unique RPC program number.
allowdeny determines whether the list of remote hosts in the next field is allowed or denied access to
the specified service. Multiple allowdeny lines for each service are not unsupported. If there are
multiple allowdeny lines for a particular service, all but the last line are ignored.
Addresses and names are separated by white space. Any mix of addresses and names is allowed. To con-
tinue a line, terminate it with
\.
Host names and network names are the official names of the hosts or networks as returned by
gethost-
byaddr() or getnetbyaddr()
, respectively. Wildcard characters (*) and range characters (-) are
allowed. The
* and the - can be present in any of the fields of the address. An address field is a string of
characters separated by a dot (.).
EXAMPLES
Use a wildcard character to permit a whole network to communicate with the local host without having to
list all the hosts in that network. For example, to allow all hosts with network addresses starting with a
10, as well as the single host with address 192.54.24.5 to use rlogin :
login allow 10.* 192.54.24.5
On a system running NFS, deny host 192.54.24.5 access to sprayd , an RPC-based server:
sprayd deny 192.54.24.5
A range is a field containing a - character. To deny hosts in network 10 (arpa) with subnets 3 through 5
access to remsh:
shell deny 10.3-5.*
The following entry denies rlogin access to host cory.berkeley.edu, any hosts on the network
named testlan, and the host with internet address 192.54.24.5:
login deny 192.54.24.5 cory.berkeley.edu testlan
If a remote service is not listed in the security file, or if it is listed but it is not followed by allow or
deny, all remote hosts can attempt to use it. Security is then provided by the service itself. The follow-
ing lines, if present in inetd.sec, allow or deny access to the service indicated:
Allow all hosts to use
ftp:
ftp
Deny all access to the shell service; i.e., remsh:
shell deny
Section 4−−140 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: August 2003