Provided by: rlinetd_0.9.1-1_amd64 
NAME
rlinetd.conf - rlinetd configuration file
DESCRIPTION
rlinetd.conf holds configuration information for rlinetd. There are a small number of similar top level
constructs, differing chiefly in which options can be meaningfully used with them.
All strings are quoted with the " character. In some situations (e.g. the log, exec, and chroot
directives), there are a number of variables that can be substituted into the string.
Unless stated otherwise, all numbers must be positive.
service "name" {
...
}
This construct describes a service. The name parameter is for naming convenience alone, it simply
serves to distinguish logging messages and provides a default for options which can logically
accept a name as an argument.
enabled
This construct allows easily enabling or disabling service. The argument can be either yes
or no. The default value is yes. Setting this to no disables service.
Example:
enabled no;
port
This lists the ports that the service should be made available on. The ports can be listed
in either string or numeric format. If unspecified, this defaults to the name of the
service unless the service is an RPC service, in which case the port value will be
dynamically assigned by the system.
Example:
port "telnet", "rcmd", 56, 99;
interface
This specifies which interfaces the listed ports should be bound on. It takes a list of IP
addresses as an argument, corresponding to the configured addresses of the interfaces
required. If this keyword is not given or when a special value any is assigned to it, the
service will bind to all available interfaces.
Examples:
interface 192.168.1.1, 192.168.1.2;
interface any;
exec
This specifies the invocation of the service. A number of substitutions can be made within
the string; please see String Modifiers below.
Example:
exec "/usr/sbin/in.telnetd -d";
server
This specifies the binary to be executed, if different to exec.
Example:
server "/usr/sbin/tcpd";
protocol
This specifies the socket protocol to use when listening on ports for the service. The
argument can be either tcp or udp. The default setting for this variable is tcp.
Example:
protocol tcp;
user
This specifies the userid under which this service should run. It will accept an argument
in either symbolic or numeric form. Unless group (see below) is given, the groupid is also
set to the user's primary group.
Example:
user "nobody";
group
This specifies the groupid under which this service should run. It will accept an argument
in either symbolic or numeric form.
Example:
group "system";
backlog
This is the backlog argument which will be passed to the listen(2) system call.
Example:
backlog 30;
instances
This specifies the maximum number of service instances that can be running at any one time.
The default setting for this variable is 40.
Example:
instances 50;
wait
This directive emulates the inetd(8) wait behaviour. The argument can be either yes or no.
The default value is no. Setting this to yes also resets the value of instances option to
1.
Example:
wait yes;
nice
This specifies the process priority to run this service at. The argument is passed directly
to the setpriority(2) system call. The value may be negative.
Example:
nice -5;
rpc
This specifies that the service should be registered with the system's portmap(8) mapper as
an RPC service. It accepts a list of arguments as follows.
rpc {
name "string"; version 3,6,9-15,22;
}
The name parameter is optional, and defaults to the service name.
chroot
This specifies the root directory for the service. The string argument can accept modifiers
as detailed in String Modifiers below.
Example:
chroot "/tftpboot/%O";
log
This directive takes two arguments. The first must be either the symbolic name of a
previously specified log directive (see below), or the unquoted word syslog. If the
latter, the message will be logged via the syslog(3) call. The second argument is the
message that will be logged, subject to the modifiers detailed in String Modifiers below.
Example:
log syslog "Service from %O complete";
tcpd
This directive causes access controls as specified by tcp_wrappers to be applied. This has
the same effect as invoking a service with a server argument of /usr/sbin/tcpd (or wherever
your tcpd(8) program is kept), but saves the additional step of starting the program. It
will accept up to two additional arguments. The first is a service name to apply against
its rules, and the second is a block of instructions to execute if matched. If no name is
specified, it defaults to the name of the service. If the instruction block is not
specified, it defaults to 'exit;'.
Examples:
tcpd "in.telnetd";
tcpd { exec "/usr/local/bin/winnuke %O"; }
tcpd "pointless" { echo "Hi guys, come on in."; }
tcpd "defiant" { echo "500 Access denied from %O."; exit; }
exit
This directive is only useful in an instruction block argument to the tcpd directive. Note
well - not using it (and not specifying some other terminating directive, such as exec)
will result in the service being run forever.
Example:
exit;
capability
This directive specifies the capabilities that this service should have when running. The
argument is a string that is passed directly to cap_from_text(3). I know, that's a pretty
lousy description, but this feature is of limited utility until and unless you read the
README.capabilities file anyway.
Example:
capability "cap_setuid=ep";
rlimit
This directive takes two arguments. The first is a symbol specifying the type of limit
required. These are listed below. The second argument takes one of two forms. It can either
be a single numeric value, in which case both of the soft and hard limits of the resource
in question will be set to this value. Alternatively, it can be a list in the form:
rlimit type {
soft x; hard y;
}
In which case the hard and soft limits will be set appropriately. In either case, the word
unlimited can be specified instead of a numeric value, thus removing any restriction. The
values are passed directly to the setrlimit(2) syscall, and should be specified in that
context.
Types:
cpu, fsize, data, stack, core, rss, nproc, nofile, memlock
Example:
rlimit cpu 15;
initgroups
The argument can be either yes or no. This directive causes initgroups(3) to be called at
service startup, which sets the supplementary groups of the service according to the
/etc/group file.
Example:
initgroups yes;
family
This directive specifies the protocol family that rlinetd should bind sockets on for this
service. Currently, this can be either ipv4 or ipv6. If unspecified, this defaults to
something appropriate for the system.
Example:
family ipv6;
banner
This directive lets you dump a file as output to a connection.
Example:
banner "/etc/nologin";
echo
This directive allows you to output a dynamically generated line to the connection.
Example:
echo "500 Service denied from your IP (%O)";
filter
This directive allows you to specify a Linux Socket Filter program to be associated with
the listening socket. These can be generated with a tool such as lsfcc(1).
Example:
filter "/usr/local/lib/rlinetd/filters/privport";
chargen
This directive loops eternally, outputting data to any connection. If no argument is given,
it echoes a subset of the printable characters. However, a filename can be supplied as an
argument, in which case the contents of that file are output in a loop.
Example:
chargen "/usr/local/lib/spam";
log "name" {
...
}
This construct describes a logging target. The name parameter is used as an argument to the log
directive in service configurations.
path
This specifies the filename for this logfile.
Example:
path "/var/log/service.log";
mode
This specifies the file permissions for the logfile. The argument is required to be
numeric, and defaults to 0640 if not specified.
Example:
mode 0600;
user
This specifies the uid of the logfile, and can be specified as either a numeric uid, or
username.
Example:
user "adm";
group
This specifies the gid of the logfile, and can be specified as either a numeric gid, or
groupname.
Example:
group "adm";
defaults {
...
}
This construct takes the same parameters as a service declaration, but instead of specifying a
service sets defaults for all services specified subsequently.
directory "path" "match" "ignore";
This construct specifies a directory which contains additional configuration files to be parsed.
Parsing of these additional files does not commence until the current file is complete. The match
and ignore arguments are optional, and if specified, are used to filter the files in the
directory. Filenames must match the match regexp, if given, and must not match the ignore regexp,
if given. Filenames beginning with a period ('.') are skipped in all cases. Directories are not
recursed into.
String Modifiers
There are a number of variables which can be substituted into arguments to some directives. Although they
can all be used in the same places, the information accessed by some is unavailable in certain cases.
%O The source IP address of the connection.
%P The source port of the connection.
%C The total CPU time used.
%U The user CPU time used.
%S The system CPU time.
%r Maximum resident set size.
%m Shared memory size.
%d Unshared data size.
%s Unshared stack size.
%f Page reclaims.
%F Page faults.
%p Swaps.
%i Block input operations.
%o Block output operations.
%n Messages sent.
%c Messages received.
%k Signals received.
%w Voluntary context switches.
%w Involuntary context switches.
%e Exit code.
%t Running time.
%M The current time expressed as seconds since epoch 1980, dumped as a network order 32 bit word.
This has absolutely no use other than in implementing the inetd-like time functionality.
%I The current time and date, in pretty-printed ctime(3) format.
SEE ALSO
rlinetd(8), hosts_access(5)
AUTHOR
This manual page was written by Mikolaj J. Habryn <dichro-doc@rcpt.to>. Modified by Robert Luberda
<robert@debian.org>.