Provided by: rlinetd_0.9-2_amd64
NAME
rlinetd.conf - rlinetd configuration file
DESCRIPTION
rlinetd.conf holds configuration information for rlinetd. There are a small number of similar top level constructs, differing chiefly in which options can be meaningfully used with them. All strings are quoted with the " character. In some situations (e.g. the log, exec, and chroot directives), there are a number of variables that can be substituted into the string. Unless stated otherwise, all numbers must be positive. service "name" { ... } This construct describes a service. The name parameter is for naming convenience alone, it simply serves to distinguish logging messages and provides a default for options which can logically accept a name as an argument. enabled This construct allows easily enabling or disabling service. The argument can be either yes or no. The default value is yes. Setting this to no disables service. Example: enabled no; port This lists the ports that the service should be made available on. The ports can be listed in either string or numeric format. If unspecified, this defaults to the name of the service unless the service is an RPC service, in which case the port value will be dynamically assigned by the system. Example: port "telnet", "rcmd", 56, 99; interface This specifies which interfaces the listed ports should be bound on. It takes a list of IP addresses as an argument, corresponding to the configured addresses of the interfaces required. If this keyword is not given or when a special value any is assigned to it, the service will bind to all available interfaces. Examples: interface 192.168.1.1, 192.168.1.2; interface any; exec This specifies the invocation of the service. A number of substitutions can be made within the string; please see String Modifiers below. Example: exec "/usr/sbin/in.telnetd -d"; server This specifies the binary to be executed, if different to exec. Example: server "/usr/sbin/tcpd"; protocol This specifies the socket protocol to use when listening on ports for the service. The argument can be either tcp or udp. The default setting for this variable is tcp. Example: protocol tcp; user This specifies the userid under which this service should run. It will accept an argument in either symbolic or numeric form. Unless group (see below) is given, the groupid is also set to the user's primary group. Example: user "nobody"; group This specifies the groupid under which this service should run. It will accept an argument in either symbolic or numeric form. Example: group "system"; backlog This is the backlog argument which will be passed to the listen(2) system call. Example: backlog 30; instances This specifies the maximum number of service instances that can be running at any one time. The default setting for this variable is 40. Example: instances 50; wait This directive emulates the inetd(8) wait behaviour. The argument can be either yes or no. The default value is no. Setting this to yes also resets the value of instances option to 1. Example: wait yes; nice This specifies the process priority to run this service at. The argument is passed directly to the setpriority(2) system call. The value may be negative. Example: nice -5; rpc This specifies that the service should be registered with the system's portmap(8) mapper as an RPC service. It accepts a list of arguments as follows. rpc { name "string"; version 3,6,9-15,22; } The name parameter is optional, and defaults to the service name. chroot This specifies the root directory for the service. The string argument can accept modifiers as detailed in String Modifiers below. Example: chroot "/tftpboot/%O"; log This directive takes two arguments. The first must be either the symbolic name of a previously specified log directive (see below), or the unquoted word syslog. If the latter, the message will be logged via the syslog(3) call. The second argument is the message that will be logged, subject to the modifiers detailed in String Modifiers below. Example: log syslog "Service from %O complete"; tcpd This directive causes access controls as specified by tcp_wrappers to be applied. This has the same effect as invoking a service with a server argument of /usr/sbin/tcpd (or wherever your tcpd(8) program is kept), but saves the additional step of starting the program. It will accept up to two additional arguments. The first is a service name to apply against its rules, and the second is a block of instructions to execute if matched. If no name is specified, it defaults to the name of the service. If the instruction block is not specified, it defaults to 'exit;'. Examples: tcpd "in.telnetd"; tcpd { exec "/usr/local/bin/winnuke %O"; } tcpd "pointless" { echo "Hi guys, come on in."; } tcpd "defiant" { echo "500 Access denied from %O."; exit; } exit This directive is only useful in an instruction block argument to the tcpd directive. Note well - not using it (and not specifying some other terminating directive, such as exec) will result in the service being run forever. Example: exit; capability This directive specifies the capabilities that this service should have when running. The argument is a string that is passed directly to cap_from_text(3). I know, that's a pretty lousy description, but this feature is of limited utility until and unless you read the README.capabilities file anyway. Example: capability "cap_setuid=ep"; rlimit This directive takes two arguments. The first is a symbol specifying the type of limit required. These are listed below. The second argument takes one of two forms. It can either be a single numeric value, in which case both of the soft and hard limits of the resource in question will be set to this value. Alternatively, it can be a list in the form: rlimit type { soft x; hard y; } In which case the hard and soft limits will be set appropriately. In either case, the word unlimited can be specified instead of a numeric value, thus removing any restriction. The values are passed directly to the setrlimit(2) syscall, and should be specified in that context. Types: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock Example: rlimit cpu 15; initgroups The argument can be either yes or no. This directive causes initgroups(3) to be called at service startup, which sets the supplementary groups of the service according to the /etc/group file. Example: initgroups yes; family This directive specifies the protocol family that rlinetd should bind sockets on for this service. Currently, this can be either ipv4 or ipv6. If unspecified, this defaults to something appropriate for the system. Example: family ipv6; banner This directive lets you dump a file as output to a connection. Example: banner "/etc/nologin"; echo This directive allows you to output a dynamically generated line to the connection. Example: echo "500 Service denied from your IP (%O)"; filter This directive allows you to specify a Linux Socket Filter program to be associated with the listening socket. These can be generated with a tool such as lsfcc(1). Example: filter "/usr/local/lib/rlinetd/filters/privport"; chargen This directive loops eternally, outputting data to any connection. If no argument is given, it echoes a subset of the printable characters. However, a filename can be supplied as an argument, in which case the contents of that file are output in a loop. Example: chargen "/usr/local/lib/spam"; log "name" { ... } This construct describes a logging target. The name parameter is used as an argument to the log directive in service configurations. path This specifies the filename for this logfile. Example: path "/var/log/service.log"; mode This specifies the file permissions for the logfile. The argument is required to be numeric, and defaults to 0640 if not specified. Example: mode 0600; user This specifies the uid of the logfile, and can be specified as either a numeric uid, or username. Example: user "adm"; group This specifies the gid of the logfile, and can be specified as either a numeric gid, or groupname. Example: group "adm"; defaults { ... } This construct takes the same parameters as a service declaration, but instead of specifying a service sets defaults for all services specified subsequently. directory "path" "match" "ignore"; This construct specifies a directory which contains additional configuration files to be parsed. Parsing of these additional files does not commence until the current file is complete. The match and ignore arguments are optional, and if specified, are used to filter the files in the directory. Filenames must match the match regexp, if given, and must not match the ignore regexp, if given. Filenames beginning with a period ('.') are skipped in all cases. Directories are not recursed into. String Modifiers There are a number of variables which can be substituted into arguments to some directives. Although they can all be used in the same places, the information accessed by some is unavailable in certain cases. %O The source IP address of the connection. %P The source port of the connection. %C The total CPU time used. %U The user CPU time used. %S The system CPU time. %r Maximum resident set size. %m Shared memory size. %d Unshared data size. %s Unshared stack size. %f Page reclaims. %F Page faults. %p Swaps. %i Block input operations. %o Block output operations. %n Messages sent. %c Messages received. %k Signals received. %w Voluntary context switches. %w Involuntary context switches. %e Exit code. %t Running time. %M The current time expressed as seconds since epoch 1980, dumped as a network order 32 bit word. This has absolutely no use other than in implementing the inetd-like time functionality. %I The current time and date, in pretty-printed ctime(3) format.
SEE ALSO
rlinetd(8), hosts_access(5)
AUTHOR
This manual page was written by Mikolaj J. Habryn <dichro-doc@rcpt.to>. Modified by Robert Luberda <robert@debian.org>.