Re: Basic xinetd Question

On Tue, 24 Jun 2003 19:52:42 GMT, Buck Turgidson wrote:
> I have been reading up on xinetd, since I upgraded my linux, and have
> graduated from inetd. I am confused as to the purpose of the disable
> parameter. It doesn't seem to be disabling anything. I have xinetd
> running, yet I can, as pretty much any user run netstat.
>
> I would appreciate some enlightenment.

Usually disable = yes would disable the indicated service.

Swat example:
service swat
{
disable = yes
port = 901
socket_type = stream
wait = no
only_from = 127.0.0.1
user = root
server = /usr/sbin/swat
log_on_failure += USERID
}

and if we do a
chkconfig --list
we see
swat: off

> Usually disable = yes would disable the indicated service.
>
> Swat example:
> service swat
> {
> disable = yes
> port = 901
> socket_type = stream
> wait = no
> only_from = 127.0.0.1
> user = root
> server = /usr/sbin/swat
> log_on_failure += USERID
> }
>
> and if we do a
> chkconfig --list
> we see
> swat: off


I guess I am missing the point, then. I though the "disable" disables the
use of the service, but I can
still execute it.

hp:~ # chkconfig --list | grep netstat
netstat: off



hp:~ # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
....
....

On Tue, 24 Jun 2003 21:27:27 GMT, Buck Turgidson wrote:
>
>
> I guess I am missing the point, then. I though the "disable" disables the
> use of the service, but I can
> still execute it.

You can execute a program from the cli.
If an incomming connection tried to connect to the service
xinetd would check the service disable flag before deciding to start
the deamon and connecting the requestor to the service.

"Buck Turgidson" <(E-Mail Removed)> wrote:

> > Usually disable = yes would disable the indicated service.
> >
> > Swat example:
> > service swat
> > {
> > disable = yes
> > port = 901
> > socket_type = stream
> > wait = no
> > only_from = 127.0.0.1
> > user = root
> > server = /usr/sbin/swat
> > log_on_failure += USERID
> > }
> >
> > and if we do a
> > chkconfig --list
> > we see
> > swat: off
>
>
> I guess I am missing the point, then. I though the "disable" disables the
> use of the service, but I can
> still execute it.
>
> hp:~ # chkconfig --list | grep netstat
> netstat: off
>
>
>
> hp:~ # netstat
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> ...
> ...
>

Hi,
inetd and xinetd are master daemon processes that control a number of
services offered by your system accross the network. So for example an ftp
server. telnet aerver, swat finger daemon, time server etc. are all services
that can be managed by inetd or xinetd. In comarison, netstat is a binsry
program in the same way as the commands ls, ps, bash, perl etc.

Xinetd can be configured to manage the processes listening on a number of ports
for connections accross the network from remote machines (but note that many of
these services such as ftpd and telnetd can be run independently of xinetd as
well). When someone tries to connect to a sservice accross the network on a
port that is managed by xinetd, it will start a new process to handle that
connection. However, if the 'disable = yes' option is selected for the daemon
configured to service that port, then xinetd will not start the child process to
manage the connection.

To control the operation of programs that run on the local machine, you would
normally use file permissions. For example, to decide who can use netstat,
create a new group with the newgrp command called netstat, then change the
ownership of the netstat command to that group and remove the world execute
permission with chmod. From that point onwards, only user accounts that are
members of the netstat group will be able to run the netstat command.

Hope this helps clarify the difference.

--

Martin