xinetd

xinetd is a secure replacement for inetd. It was originally written by panos@cs.colorado.edu. This is a home for xinetd, and a place for information to be gathered, bugs to be submitted, and hopefully fixed.
Update: xinetd is looking for a new maintainer. Apply within.
Information:
Features of xinetd
xinetd FAQ
Sample config
Recent changes
CVS Web
Download:
Source to xinetd 2.3.15 (Released 9 May 2012).


Frederic Raynal has written an excellent article on xinetd.

The xinetd cvs repository can be accessed in the following way:
cvs -d :pserver:anonymous@cvs.xinetd.org:/cvs/xinetd login
Hit enter when asked for a password. (there is no password) You can then check out xinetd with the following command: 
cvs -d :pserver:anonymous@cvs.xinetd.org:/cvs/xinetd co xinetd


Features:
  • Access control:
    • Has builtin access control for stopping connections from evil bad guys, or for only allowing connections from good guys.
    • Can be compiled with builtin libwrap support. Use hosts.{allow|deny}! More efficient than using tcpd!
    • Tcp wrappers are good, but can only see one connection at a time. xinetd can limit the rate of incoming connections, number of incoming connections from specific hosts, or total number of connections for a service.
    • Limit access to services based on access time of day.
    • You can have specific services bind to specific IP's. This lets you provide different services to internal clients than external clients.
  • Prevent denial of service attacks!
    • With the access control capabilities of limiting the rate of incoming connections, xinetd can respond to "port bombs" in a reasonable fashion.
    • If one host seems to be hogging your services, you can limit the number of simultaneous connections from a host.
    • You can place limits on the size of the log files it creates, so people can't fill your disk.
  • Extensive logging abilities!
    • You can configure the syslog logging level for each service independently.
    • If you don't want to use syslog logging, you can have each service log to a file, independent of any other service.
    • It can log the start and stop times for the connection, so you can determine how long a client used your services.
    • It can log extensive information about failed connection attempts.
  • Offload services to a remote host
    • The redir feature allows you to redirect a TCP stream to another host. This other host does not need to be an externally reachable machine. If you want to provide services on a NAT'd machine, run xinetd with the redir feature to redirect the service to a different host.
  • IPv6 support
    • As of the xinetd 2.1.8.8pre* series, xinetd supports IPv6.
  • User interaction
    • You can print different banners to the client when they have a successful connection, when their connection attempt failed, and always regardless of connection status. This can help keep your users informed of changes, and why they may be having trouble accessing services.


2.3.15
  • If the address we're binding to is a multicast address, do the multicast join.
  • Merge the Fedora patch to turn off libwrap processing on tcp rpc services. Patch xinetd-2.3.12-tcp_rpc.patch.
  • Merge the Fedora patch to add labeled networking. Patch xinetd-2.3.14-label.patch r1.4.
  • Merge the Fedora patch to fix getpeercon() for labeled networking in MLS environments. Patch xinetd-2.3.14-contextconf.patch r1.1
  • Merge the Fedora patch for int->ssize_t. Patch xinetd-2.3.14-ssize_t.patch r1.1 Some modifications to this patch were necessary.
  • Change compiler flags, -Wconversion generates excessive and unnecessary warnings with gcc, particularly all cases of ntohs(uint16_t). http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6614 Additionally add -Wno-unused to prevent unnecessary warnings regarding unused function parameters when the function is a callback conforming to a standard interface.
  • Change version number to 2.3.15devel, indicating an interim developmental source snapshot.
  • Merge patch from Thomas Swan regarding CVE-2012-0862

2.3.14
  • Applied patch from Art Haas for gcc 3.5 compat.
  • Flush the descriptor after writing a banner. -Jay Fenlason
  • Don't assume char is signed in the udp drain() function -Don Provan
  • If log remote user is on, a descriptor between 0-2 is likely to be opened. Call msg_suspend before dup'ing socket to avoid this bug. -Glen Johnson
  • Added confparse() RPC patch from RedHat's RHEL4 srpm.
  • Fixed some service release bugs with accesses to dangling pointers.
  • Updated BACKLOG to 64 from 7
  • Updated xconv.pl to understand ":" in inetd.conf files from FreeBSD ports patch.
  • Added howl support for mdns advertising.
  • Added a libwrap service attribute to specify the service name to check access via libwrap.
  • Make some type cleanups to fix some warnings.
  • Parse things as unsigned instead of signed where it makes sense. Based on a patch from Tony Ernst.
  • Remove the <1024 port check for UDP builtin services. This check has been rather antiquated for years.

2.3.13
  • Add NULL entry to success_log_options to properly end the nvlist. -Steve Grubb
  • Portability updates to libportable.h. -Matthias Andree
  • Occasionally Smorefds didn't allocate more fds as expected. -Jay Fenlason
  • Address list parsing considered the comma in factorized addresses to be an error. Updated test to allow factorized address. -Steve Grubb
  • When parsing inet.conf, the filename wasn't being set for subsequent messages. -Steve Grubb
  • Fix addrlist_match to correctly handle IPv4 mapped IPv6 addresses. -Christof Meerwald
  • Fixed a bug where reloading configuration would core dump if file logging was enabled in defaults and a connection existed when SIGHUP was received. -Steve Grubb
  • If too many connections hit and exhausts the file descriptors such that accept fails, deactivate the service like the cps access control does. This problem was reported by David Cook. -Steve Grubb
  • Updated rpm.spec file and added default config files to contrib directory. -Steve Grubb
  • Allow group & user to be specified by numeric value. -Steve Grubb


2.3.12
  • Cleanup some signal handling if not defined. -MARUYAMA Shinichi
  • Make ident protocol work properly for multi-homed hosts. -Alan Sundell
  • Code cleanup for const warnings. -Steve Grubb
  • Make redirect protocol independent. -Cougar
  • Make reconfig iterate over all services. Some may be in "not started" state and were being missed. -Steve Grubb
  • Make redirected, forking builtins, & tcpmux close all listening descriptors so reconfig works. -Jay Fenlason
  • Add support for the IPV6_V6ONLY socket option. Don't assume a default setting, as the default seems to be in flux.
  • Address compare in readjust was wrong. Its now corrected to handle each address family separately. -Steve Grubb
  • Add command line option to not fork. This will allow xinetd to be started by init or daemontools. -Matthias Andree
  • Fixed a leak in reconfig. If log_type = file is used for a service and SIGHUP is sent to xinetd, it leaked a file descriptor and 44 bytes of memory per service using FILE. -Steve Grubb
  • Change all close() calls to Sclose() to prevent future problems. -Steve Grubb
  • Fixed bug if service name is unparsable and in an included directory that caused xinetd to core dump. -Steve Grubb
  • Fixed bug where address lists had "version" uninitialized when the list used hostnames with no dots in the name. -Steve Grubb
  • Numerous memory leaks when parsing errors occurred. -Steve Grubb
  • Remove the servers and xadmin internal services.
  • Update addrlist_match to use the address part of the IPv6 address structure. -Christof Meerwald
  • Correct looping problems for udp connections rejected by the child access controls. -Steve Grubb
  • Added TRAFFIC logging option to report total bytes in and out for a redirected service. -Christof Meerwald
  • Correct a double-free condition if a retry was scheduled. -Steve Grubb
  • Add filename to parse messages. -Steve Grubb
  • Improve port error messages after parsing. -Steve Grubb
  • Sclose dump_fd if SIO error causes dump abort. -Steve Grubb
  • Smorefds wasn't allocating the proper amount of sio descriptor space if the fd was > 5 over its last known fd. -Steve Grubb
2.3.11
  • Fix some compile time errors on Solaris
  • Fixed a bounds check in Sdone(). Patch from Dmitry V. Levin
  • Added FreeBSD loadavg support. Patch from Vanilla I. Shu
  • TCPMUX parser updates. -Steve Grubb
  • TCPMUX was causing core dumps due to changes made in 2.3.10's child_process(), reverted changes. -Philip Armstrong
  • Remove RECORD logging option. -Steve Grubb
  • Change Sclose to make sure it always closes the fd. -Steve Grubb
  • Added better error handling to filelog.c. -Steve Grubb
  • Error messages now go to syslog instead of stderr in strparse.c. -Steve Grubb
  • Fixed memory leaks found with valgrind. -Steve Grubb
  • Correct problems with bind specified in the default section. -Steve Grubb
  • Use Sclose to close banner commands. -Jay Fenlason
  • Correct banner to match man pages. -Jay Fenlason
2.3.10
  • Close the service descriptors on fork. This only matters for internal forking services, since anything that calls exec() will get those closed automagically. This will help reduce the file discriptors used by the daemon when using some internal services
  • Fix a numbering bug with xinetd's internal flag representation that was manifesting its self as all services being disabled upon recieving a SIGUSR2 (hard reconfig)
  • Don't pass a hostname to dns registration calls, it'll pick a hostname automagically.
  • Remove CLEANUP and other dead code.
  • Make sure tcp internal non-forking services close their filedescriptors.
  • Added syslog facilities for the xinetd log configuration to match SUS. - Steve Grubb
  • Start reporting the Per Source value when dumping debugging output - Steve Grubb
  • Correct the fake-getnameinfo.h to include appropriate macros. - Steve Grubb
  • Up the default CPS value to 50 from 10.
  • Document the default CPS values in the xinetd.conf man page.
  • Fix a closing of the connection when there's an error handling the service. - Steve Grubb
  • Fixed a bug in the includedir path where a reference was kept to free()'d memory.
  • Fixed a bug in the consistency check mechanism where it would report the signal pipe as a problem.
  • Clear memory before freeing it. This isn't strictly necissary, but aids in debugging.
  • Add the pid to debugging messages.
  • Remove access control calls for special services. The access control functions must always allow these services anyway.
  • Fixed a bug with reconfiguring services using the interface attribute. -- Adam Lukosek
  • Fixed a bug with deallocating dns registrations.
  • Fixed a bug where tcp_wrappers would not identify an internal service since the internal service has no executable. -Steve Grubb
  • Sclose was being used on the config file descriptor. Since sio never touches the descriptor, it failed to close it. - Steve Grubb
  • Fix a potential memory leak with bind_addr and service reconfig. - Andrey Alekseyev
  • Fix a reconfig timing issue. - Andrey Alekseyev


2.3.9
  • Fixed bug uncovered by IPv6 updates for bind parser. In the id_parser, a test was being performed for uniqueness. It relied on the address already being given. However, the address may not be known if more than one record came back from the getaddrinfo function call. -Steve Grubb
  • Added code to service_fill to resolve port if unspecified. -Steve Grubb
  • Consolidated duplicate services tests into check_entry. -Steve Grubb
  • Fixed a bug with access control & internal services.
  • Make sure we byteswap the value returned by time services.
  • Fix an omission with the tcpmux integration.
  • Fixed a race when there's 1 service configured and it is a wait service.
2.3.8
  • Reworked redirect to better detect problems in its configuration. Also, redirect now allows service names for port numbers. -Steve Grubb
  • Reworked attribute checking in confparse & updated attr.h. -Steve Grubb
  • Ensure that children have the default signal handlers installed.
  • Added support for DNS service registration ala Rendezvous.
  • Fixed some compile errors on Mac OS X, FreeBSD, and OpenBSD.
  • Added preliminary support for tcpmux -Philip Armstrong
  • Update the xinetd man page to document the -version option.
  • Now ignores the --with-inet6 compile option. Services will default to IPv4 unless configured otherwise.
  • Bring back the inetd.conf parser in a different form. Parse all the xinetd config files first, then parse /etc/inetd.conf, and add services from there (if it exists). Use the -inetd_compat option to read inetd.conf.
  • IPv6 updates for bind_parser, only_from, and no_access. -Steve Grubb

2.3.7
  • Added fixes or workarounds for issues introduced after 2.3.3 including the signal pipe leak into child processes (a security hole). -Solar Designer
  • Made xinetd unlink its pidfile when there turns out to be no services configured on reload. -Solar Designer

2.3.6
  • Updated only_from to 'and' both the remote address and the specified portion if a network mask type address is used. -Steve Grubb
  • Updated explicit_mask to chose NUMERIC_ADDR if mask is 32. -Steve Grubb
  • Many parser updates. -Steve Grubb
  • Propogate default attributes even if not specified. log_on_success, log_on_failure, passenv were the main items affected by this problem. only_from and no_access now conform to this new propogation technique. -Steve Grubb
  • Xremove now uses domain names in addition to ip addresses. -Steve Grubb
  • Moved sensor code into its own file and changed it to use timer facility. -Steve Grubb
  • Reworked remote_addr check & addrlist_match to not cache IP addresses and corrected several algorithmic problems. -Steve Grubb
  • Off-by-one error corrected in pset_delete. -Steve Grubb
  • Updated attrfill to use IPv4 addresses if bind specified. -Steve Grubb
  • Fixed bug in libwrap code to check server better for NULL -Steve Grubb
  • Added better testing of configuration if NAMEINARGS flag is set. -Steve Grubb
  • Updated config.guess & config.sub. -Thomas Seyrat
  • Added an rpm spec file. -Steve Grubb
  • Removed sio/suite directory. It appears that key files have been deleted in the past so it no longer works. -Steve Grubb
  • Make the file descriptor buffer allocation dynamic. This substantially reduces xinetd's normal memory footprint (~760KB). -Rob Braun
  • Work around bugs in Mac OS X's getrlimit/setrlimit which causes them to be almost unusable. -Rob Braun
2.3.5
  • Included patch from Trond at RedHat to check signal pipe if there are no services running.
  • Update the access_times parser to disable service if there is a parse error. Also corrected ti_add too. -Steve Grubb
  • Updated all parsers to propogate errors so service will be disabled. -Steve Grubb
  • Updated internal services to check the signal pipe periodically. -Steve Grubb
  • Updated sendsig to wait for termed children so zombies aren't created and ports are clear to rebind to on hard_reconfig. -Steve Grubb
  • Included a patch from Hendrik Visage for a problem with ident.


Bug reports or patches may be sent to me at: bbraun@synack.net.