Message-Id: <9201161641.AA25280@tictac.cert.sei.cmu.edu>
Date: Thu, 16 Jan 92 11:39:24 EST
To: cert-tools@cert.sei.cmu.edu
From: dick@ccnext.ucsf.edu (Dick Karpinski)
Subject: Re: Modified inetd

I showed some of this discussion to my friend Roland McGrath, of FSF
who said, "I did one of those."  So I asked him for a copy.  He sent
me a shar file prefaced by a few comments which I extract from:

Here is a shar of the source to my inetd.  It is a modified version of the
4.4 inetd.  I got the original Berkeley sources from ftp.uu.net.  Systems
which have a real setsid call should not use setsid.c, which I wrote to
emulate setsid on 4.3BSD.

I am actively maintaining this program, and am interested in bug reports.
However, I'm maintaining only for the purpose of the FSF's use of it, and
am not particularly interested in new features that will not be of use to
us (I'll listen to suggestions, though).

There is no documentation.  You can get the BSD inetd manpage from uunet.
My changes to their version are:

* Ported to 4.3BSD on hp300s, HPUX 7.0 (I think) on hp834s, and sun4
  running sunos4.1.

* Added sunrpc support.  Easily commented out for systems without sunrpc.
  mtXinu's MORE/bsd 4.3+NFS, and SunOS4.1 use different syntaxes for sunrpc
  services in /etc/inetd.conf.  My version understands both syntaxes.

* Added security support; new configuration file /etc/inetd.sec.
  Based on the feature of HPUX's inetd (you can look at their documentation
  if you have an HP machine handy, or log in to one of ours to look), but
  not quite the same.  Basically, /etc/inetd.sec contains lines like:

telnet deny undesireable.machine.com
ftp deny *.undesireable.domain.edu
login allow blessed.machine.org
shell allow 128.52.46
telnet rejections /bin/echo echo We do not like you.

This says: Allow telnet connections from anywhere except
undesireable.machine.com; allow ftp connections from anywhere except
anything matching *.undesireable.domain.edu (that's a shell glob pattern);
allow rlogin only from blessed.machine.org; allow rsh only from things on
subnet 128.52.46; when undesireable.machine.com tries to make a telnet
connection, echo is run in place of telnetd.

There can be as many allow/deny lines as you like.  Each line can have as
many names or nets as you like, separated by whitespace and/or commas.  The
restrictions build, so "allow *.mit.edu" followed by "deny 18" will allow
things in mit.edu unless they're on net 18.  If the first thing is a deny,
then calling hosts that don't match any allow or deny lines are allowed; if
the first thing is an allow, then unmatched hosts are denied.  The
rejections lines give daemon program and args just like lines in
/etc/inetd.conf do.

I didn't include a makefile because the one I use is GNU make-specific and
refers to pathnames on my machine which don't make sense elsewhere.

---------------end of Roland's comments --------

This was followed by 2000 lines of shar.  The shar file is available via
anonymous ftp from ccb.ucsf.edu (128.218.1.13).  The file's name is
/pub/inetd.fsf.Z.

Dick