inetd.conf
Len Borowski Jr.
I am in the process of making a system more secure and one of
the things I have looked into is what UID the daemons in inetd.conf
should run as. Right most of my daemon's are running as root which I
know isn't a good idea, my question is, can I simply change all my
daemons to run as non-root(in this case I was going to have them run
as nobody). I have included my inetd.conf. And once last bit of info,
we're running SunOS 4.1.3
_len
# @(#)inetd.conf 1.24 92/04/14 SMI
#
# Configuration file for inetd(8). See inetd.conf(5).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
#
# Internet services syntax:
# <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp nowait root /usr/etc/in.ftpd in.ftpd
telnet stream tcp nowait root /usr/etc/in.telnetd in.telnetd
#
# Tnamed serves the obolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/etc/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/etc/in.rshd in.rshd
login stream tcp nowait root /usr/etc/in.rlogind in.rlogind
exec stream tcp nowait root /usr/etc/in.rexecd in.rexecd
comsat dgram udp wait root /usr/etc/in.comsat in.comsat
talk dgram udp wait root /usr/etc/in.talkd in.talkd
#
# Run as user "uucp" if you don't want uucpd's wtmp entries.
#
uucp stream tcp nowait root /usr/etc/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -auwwx
#netstat stream tcp nowait root /usr/ucb/netstat netstat -f inet
#
# Time service is used for clock syncronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <socket_type> rpc/<proto> <flags> <user> <pathname> <args>
#
# The mount server is usually started in /etc/rc.local only on machines that
# are NFS servers. It can be run by inetd as well.
#
#mountd/1 dgram rpc/udp wait root /usr/etc/rpc.mountd rpc.mountd
#
# The rexd server provides only minimal authentication and is often not run
# by sites concerned about security.
#
#rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rpc.rexd
#
# Ypupdated is run by sites that support NIS updating.
#
#ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated rpc.ypupdated
#
# Rquotad serves UFS disk quotas to NFS clients.
#
rquotad/1 dgram rpc/udp wait root /usr/etc/rpc.rquotad rpc.rquotad
#
# Rstatd is used by programs such as perfmeter.
#
rstatd/2-4 dgram rpc/udp wait root /usr/etc/rpc.rstatd rpc.rstatd
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
#rusersd/1-2 dgram rpc/udp wait root /usr/etc/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
sprayd/1 dgram rpc/udp wait root /usr/etc/rpc.sprayd rpc.sprayd
#
# The rwall server lets anyone on the network bother everyone on your machine.
#
walld/1 dgram rpc/udp wait root /usr/etc/rpc.rwalld rpc.rwalld
#
#
# TLI services syntax [not yet implemented]:
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
#
# TCPMUX services syntax [not yet implemented]:
# tcpmux/<service_name> stream tcp <flags> <user> <server_pathname> <args>
#
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /usr/spool/calendar
100068/2-3 dgram rpc/udp wait root /usr/etc/rpc.cmsd rpc.cmsd
# Sun ToolTalk Database Server
100083/1 stream rpc/tcp wait root /usr/etc/rpc.ttdbserverd rpc.ttdbserverd