1
.\"(c) Copyright 1992, by Panagiotis Tsirigotis
2
.\"(c) Sections Copyright 1998-2001 by Rob Braun
3
.\"All rights reserved. The file named COPYRIGHT specifies the terms
4
.\"and conditions for redistribution.
6
.\" $Id: xinetd.conf.man,v 1.20 2007-09-20 14:58:27 bbraun Exp $
7
.TH XINETD.CONF 5 "14 June 2001"
8
.\" *************************** NAME *********************************
10
xinetd.conf \- Extended Internet Services Daemon configuration file
11
.\" *********************** DESCRIPTION ****************************
14
is the configuration file that
15
determines the services provided by \fBxinetd\fP.
16
Any line whose first non-white-space character is a '#' is considered
17
a comment line. Empty lines are ignored.
19
The file contains entries of the form:
24
service <service_name>
28
<attribute> <assign_op> <value> <value> ...
36
The assignment operator,
42
The majority of attributes support only the simple assignment operator,
44
Attributes whose value is a set of values support all assignment operators.
47
means adding a value to the set and
49
means removing a value from the set.
50
A list of these attributes will be given
51
after all the attributes are described.
53
Each entry defines a service identified by the \fIservice_name\fP.
54
The following is a list of available attributes:
57
This attribute is used to uniquely identify a service.
58
This is useful because there exist services that can use different
59
protocols and need to be described with different entries in the
61
By default, the service id is the same as the service name.
64
Any combination of the following values may be used:
68
if this is an RPC service
71
if this is a service provided by \fBxinetd\fP.
74
if this is a service that will be started according to the RFC 1078 protocol on the TCPMUX well-known port. See the section describing TCPMUX services below.
77
if this is a service not listed in a standard system file
82
for non-RPC services).
86
Any combination of the following flags may be used:
90
Intercept packets or accepted connections in order to verify that they
91
are coming from acceptable locations (internal or multi-threaded
92
services cannot be intercepted).
95
Avoid retry attempts in case of fork failure.
98
Accept connections only when the remote end identifies the remote user
99
(i.e. the remote host must run an identification server).
100
This flag applies only to connection-based services.
101
This flag is ineffective if the
103
log option is not used.
106
This will cause the first argument in "server_args" to be argv[0] when
107
executing the server, as specified in "server". This allows you to use
108
tcpd by putting tcpd in "server" and the name of the server in "server_args"
109
like in normal inetd.
112
If the service is a tcp service and the NODELAY flag is set, then the
113
TCP_NODELAY flag will be set on the socket. If the service is not
114
a tcp service, this option has no effect.
117
If the service is a tcp service and the KEEPALIVE flag is set, then
118
the SO_KEEPALIVE socket flag will be set on the socket. If the service
119
is not a tcp service, this option has no effect.
122
This disables internal calling of the tcpwrap library to determine access
123
to the service. This may be needed in order to use libwrap functionality
124
not available to long-running processes such as xinetd; in this case,
125
the tcpd program can be called explicitly (see also the NAMEINARGS flag).
126
For RPC services using TCP transport, this flag is automatically turned on,
127
because xinetd cannot get remote host address information for the rpc port.
130
This replaces the service with a sensor that detects accesses to the
131
specified port. NOTE: It will NOT detect stealth scans. This flag
132
should be used only on services that you know you don't need. When an
133
access is made to this service's port, the IP Address is added to a global
134
no_access list. This causes all subsequent accesses from the originating IP
135
address to be denied access until the deny_time setting expires. The amount
136
of time spent on this list is configurable as the deny_time attribute. The
137
SENSOR flag will also cause xinetd to consider the server attribute to be
138
INTERNAL no matter what is typed on the same line. Another important thing
139
to remember is that if the socket_type is set to stream, then the wait
140
attribute should be set to no.
143
Sets the service to be an IPv4 service (AF_INET).
146
Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on the system.
149
The LABELED flag will tell xinetd to change the child processes SE Linux context to match that of the incoming connection as it starts the service. This only works for external tcp non-waiting servers and is an error if applied to an internal, udp, or tcp-wait server.
152
The REUSE flag is deprecated. All services now implicitly use the REUSE flag.
156
This is boolean "yes" or "no". This will result in the service
157
being disabled and not starting. See the DISABLE flag description.
161
Possible values for this attribute include:
168
datagram-based service
171
service that requires direct access to IP
174
service that requires reliable sequential datagram transmission
178
determines the protocol that is employed by the service.
179
The protocol must exist in
182
attribute is not defined, the default protocol employed by the service
186
This attribute determines if the service is single-threaded or
187
multi-threaded and whether or not xinetd accepts the connection or the server
188
program accepts the connection. If its value is \fIyes\fP, the service is
189
single-threaded; this means that \fBxinetd\fP will start the server and then
190
it will stop handling requests for the service until the server dies and that
191
the server software will accept the connection. If the attribute value is
192
\fIno\fP, the service is multi-threaded and \fBxinetd\fP will keep handling
193
new service requests and xinetd will accept the connection. It should be noted
194
that udp/dgram services normally expect the value to be yes since udp is not
195
connection oriented, while tcp/stream servers normally expect the value to be
199
determines the uid for the server process. The user attribute can either
200
be numeric or a name. If a name is given (recommended), the user name must
203
This attribute is ineffective if the effective user ID
204
of \fBxinetd\fP is not super-user.
207
determines the gid for the server process. The group attribute can either
208
be numeric or a name. If a name is given (recommended), the group name must
211
If a group is not specified, the group
212
of \fIuser\fP will be used (from
214
This attribute is ineffective if the effective user ID
215
of \fBxinetd\fP is not super-user and if the \fBgroups\fP attribute
219
determines the number of servers that can be simultaneously active
220
for a service (the default is no limit). The value of this
221
attribute can be either a number or
223
which means that there is no limit.
226
determines the server priority. Its value is a (possibly negative) number;
227
check nice(3) for more information.
230
determines the program to execute for this service.
233
determines the arguments passed to the server. In contrast to \fBinetd\fP,
234
the server name should \fInot\fP be included in \fIserver_args\fP.
237
overrides the service name passed to libwrap (which defaults to the
238
server name, the first server_args component with NAMEINARGS, the id
239
for internal services and the service name for redirected services).
240
This attribute is only valid if xinetd has been configured with the libwrap
244
determines the remote hosts to which the particular
245
service is available.
246
Its value is a list of IP addresses which can be specified in any
247
combination of the following ways:
251
a numeric address in the form of %d.%d.%d.%d. If the rightmost components are
252
0, they are treated as wildcards
253
(for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet).
254
0.0.0.0 matches all Internet addresses. IPv6 hosts may be specified in the form of abcd:ef01::2345:6789. The rightmost rule for IPv4 addresses does not apply to IPv6 addresses.
257
a factorized address in the form of %d.%d.%d.{%d,%d,...}.
258
There is no need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok).
259
However, the factorized part must be at the end of the address. This form does not work for IPv6 hosts.
263
.I /etc/networks). This form does not work for IPv6 hosts.
266
a host name. When a connection is made to xinetd, a reverse lookup is
267
performed, and the canonical name returned is compared to the specified host
268
name. You may also use domain names in the form of .domain.com. If the
269
reverse lookup of the client's IP is within .domain.com, a match occurs.
272
an ip address/netmask range in the form of 1.2.3.4/32. IPv6 address/netmask
273
ranges in the form of 1234::/46 are also valid.
277
Specifying this attribute
278
without a value makes the service available to nobody.
281
determines the remote hosts to which the particular
282
service is unavailable. Its value can be specified in the same way as the
283
value of the \fBonly_from\fP
284
attribute. These two attributes determine the location access control
285
enforced by \fBxinetd\fP. If none of the two is specified for a service,
286
the service is available to anyone. If both are specified for a service,
287
the one that is the better match for
288
the address of the remote host determines
289
if the service is available to that host (for example, if the
290
\fBonly_from\fP list contains 128.138.209.0 and the
291
\fBno_access\fP list contains 128.138.209.10
292
then the host with the address 128.138.209.10 can not access the service).
295
determines the time intervals when the service is available. An interval
296
has the form \fIhour:min-hour:min\fP (connections
298
be accepted at the bounds of an interval). Hours can range from 0 to 23 and
299
minutes from 0 to 59.
302
determines where the service log output is sent. There are two formats:
305
.B SYSLOG " \fIsyslog_facility [syslog_level]\fP"
306
The log output is sent to syslog at the specified facility. Possible facility
318
Possible level names include:
327
If a level is not present, the messages will be recorded at the
331
.B FILE " \fIfile [soft_limit [hard_limit]]\fP"
332
The log output is appended to \fIfile\fP which will be created if it does
333
not exist. Two limits on the size of the log file can be optionally specified.
334
The first limit is a soft one;
336
will log a message the first time this limit is exceeded (if
338
logs to syslog, the message will be sent at the
341
The second limit is a hard limit;
343
will stop logging for the affected service (if the log file is a
344
common log file, then more than one service may be affected)
345
and will log a message about this (if
347
logs to syslog, the message will be sent at the
350
If a hard limit is not specified, it defaults to the soft limit
351
increased by 1% but the extra size must be within the parameters
355
which default to 5K and 20K respectively (these constants are defined in
360
determines what information is logged when a server is started and when
361
that server exits (the service id is always included in the log entry).
362
Any combination of the following values may be specified:
366
logs the server process id (if the service is implemented by \fBxinetd\fP
367
without forking another process the logged process id will be 0)
370
logs the remote host address
373
logs the user id of the remote user using the RFC 1413 identification protocol.
374
This option is available only for multi-threaded stream services.
377
logs the fact that a server exited along with the exit status or the
379
(the process id is also logged if the
384
logs the duration of a service session
387
logs the total bytes in and out for a redirected service.
391
determines what information is logged when a server cannot be started
392
(either because of a lack of resources or because of access control
393
restrictions). The service id is always included in the log entry along
394
with the reason for failure.
395
Any combination of the following values may be specified:
399
logs the remote host address.
402
logs the user id of the remote user using the RFC 1413 identification protocol.
403
This option is available only for multi-threaded stream services.
406
logs the fact that a failed attempt was made
407
(this option is implied by all others).
411
determines the RPC version for a RPC service. The version can be
412
a single number or a range in the form \fInumber\fP-\fInumber\fP.
415
determines the number for an
417
RPC service (this attribute is ignored if the service is not unlisted).
420
The value of this attribute is a list of strings of the form 'name=value'.
421
These strings will be added to the environment before
422
starting a server (therefore the server's environment will include
423
\fBxinetd\fP's environment plus the specified strings).
426
The value of this attribute is a list of environment variables from
427
\fBxinetd\fP's environment that will be passed to the server.
428
An empty list implies passing no variables to the server
429
except for those explicitly defined using the
432
(notice that you can use this attribute in conjunction with the
434
attribute to specify exactly what environment will be passed to the server).
437
determines the service port. If this attribute is specified for a service
440
it must be equal to the port number listed in that file.
443
Allows a tcp service to be redirected to another host. When xinetd receives
444
a tcp connection on this port it spawns a process that establishes a
445
connection to the host and port number specified, and forwards all data
446
between the two hosts. This option is useful when your internal machines
447
are not visible to the outside world. Syntax is: redirect = (ip address)
448
(port). You can also use a hostname instead of the IP address in this
449
field. The hostname lookup is performed only once, when xinetd is
450
started, and the first IP address returned is the one that is used
451
until xinetd is restarted.
452
The "server" attribute is not required when this option is specified. If
453
the "server" attribute is specified, this attribute takes priority.
456
Allows a service to be bound to a specific interface on the machine.
457
This means you can have a telnet server listening on a local, secured
458
interface, and not on the external interface. Or one port on one interface
459
can do something, while the same port on a different interface can do
460
something completely different. Syntax: bind = (ip address of interface).
466
Takes the name of a file to be splatted at the remote host when a
467
connection to that service is established. This banner is printed
468
regardless of access control. It should *always* be printed when
469
a connection has been made. \fBxinetd\fP outputs the file as-is,
470
so you must ensure the file is correctly formatted for the service's
471
protocol. In paticular, if the protocol requires CR-LF pairs for line
472
termination, you must supply them.
475
Takes the name of a file to be splatted at the remote host when a
476
connection to that service is granted. This banner is printed
477
as soon as access is granted for the service. \fBxinetd\fP outputs the
478
file as-is, so you must ensure the file is correctly formatted for
479
the service's protocol. In paticular, if the protocol requires CR-LF
480
pairs for line termination, you must supply them.
483
Takes the name of a file to be splatted at the remote host when a
484
connection to that service is denied. This banner is printed
485
immediately upon denial of access. This is useful for informing
486
your users that they are doing something bad and they shouldn't be
487
doing it anymore. \fBxinetd\fP outputs the file as-is,
488
so you must ensure the file is correctly formatted for the service's
489
protocol. In paticular, if the protocol requires CR-LF pairs for line
490
termination, you must supply them.
493
Takes an integer or "UNLIMITED" as an argument. This specifies the
494
maximum instances of this service per source IP address. This can
495
also be specified in the defaults section.
498
Limits the rate of incoming connections. Takes two arguments.
499
The first argument is the number of connections per second to handle.
500
If the rate of incoming connections is higher than this, the service
501
will be temporarily disabled. The second argument is the number of
502
seconds to wait before re-enabling the service after it has been disabled.
503
The default for this setting is 50 incoming connections and the interval
507
Takes a floating point value as the load at which the service will
508
stop accepting connections. For example: 2 or 2.5. The service
509
will stop accepting connections at this load. This is the one minute
510
load average. This is an OS dependent feature, and currently only
511
Linux, Solaris, and FreeBSD are supported for this. This feature is
512
only avaliable if xinetd was configured with the -with-loadavg option.
515
Takes either "yes" or "no". If the groups attribute is set to
516
"yes", then the server is executed with access to the groups that the
517
server's effective UID has access to. Alternatively, if the \fBgroup\fP
518
attribute is set, the server is executed with access to the groups
519
specified. If the groups attribute is set
520
to "no", then the server runs with no supplementary groups. This
521
attribute must be set to "yes" for many BSD systems. This attribute
522
can be set in the defaults section as well.
525
Takes either "yes" or "no". On systems that support mdns registration
526
of services (currently only Mac OS X), this will enable or disable
527
registration of the service. This defaults to "yes".
530
Sets the inherited umask for the service. Expects an octal value.
531
This option may be set in the "defaults" section to set a umask
532
for all services. xinetd sets its own umask to the previous umask
533
OR'd with 022. This is the umask that will be inherited by all
534
child processes if the umask option is not used.
537
Takes a list of service ID's to enable. This will enable only the
538
services listed as arguments to this attribute; the rest will be
539
disabled. If you have 2 ftp services, you will need to list both of
540
their ID's and not just ftp. (ftp is the service name, not the ID. It
541
might accidentally be the ID, but you better check.) Note that the
542
service "disable" attribute and "DISABLE" flag can prevent a service
543
from being enabled despite being listed in this attribute.
546
Takes a filename in the form of "include /etc/xinetd/service".
547
The file is then parsed as a new configuration file. It is not
548
the same thing as pasting the file into xinetd.conf where the
549
include directive is given. The included file must be in the
550
same form as xinetd.conf. This may not be specified from within
551
a service. It must be specified outside a service declaration.
554
Takes a directory name in the form of "includedir /etc/xinetd.d".
555
Every file inside that directory, excluding files with names containing
556
a dot ('.') or ending with a tilde ('~'), will be parsed as xinetd
557
configuration files. The files will be parsed in alphabetical order
558
according to the C locale. This allows you to specify services one
559
per file within a directory. The
561
directive may not be specified from within a service declaration.
564
Sets the Address Space resource limit for the service. One parameter
565
is required, which is either a positive integer representing the number
566
of bytes to set the limit to (K or M may be used to specify
567
kilobytes/megabytes) or "UNLIMITED". Due to the way Linux's libc malloc
568
is implemented, it is more useful to set this limit than rlimit_data,
569
rlimit_rss and rlimit_stack. This resource limit is only implemented on
573
Sets the maximum number of CPU seconds that the service may use.
574
One parameter is required, which is either a positive integer representing
575
the number of CPU seconds limit to, or "UNLIMITED".
578
Sets the maximum data size resource limit for the service.
579
One parameter is required, which is either a positive integer representing
580
the number of bytes or "UNLIMITED".
583
Sets the maximum resident set size limit for the service. Setting this
584
value low will make the process a likely candidate for swapping out to
585
disk when memory is low.
586
One parameter is required, which is either a positive integer representing
587
the number of bytes or "UNLIMITED".
590
Set the maximum stack size limit for the service.
591
One parameter is required, which is either a positive integer representing
592
the number of bytes or "UNLIMITED".
595
Sets the time span that access to all services on all IP addresses are
596
denied to someone that sets off the SENSOR. The unit of time is in minutes.
597
Valid options are: FOREVER, NEVER, and a numeric value. FOREVER causes
598
the IP address not to be purged until xinetd is restarted. NEVER has the
599
effect of just logging the offending IP address. A typical time value would
600
be 60 minutes. This should stop most DOS attacks while allowing IP addresses
601
that come from a pool to be recycled for legitimate purposes. This option
602
must be used in conjunction with the SENSOR flag.
604
You don't need to specify all of the above attributes for each service.
605
The necessary attributes for a service are:
613
(non-\fIinternal\fP services only)
616
(non-\fIinternal\fP services only)
621
(\fIRPC\fP and \fIunlisted\fP services only)
624
(\fIRPC\fP services only)
627
(\fIunlisted\fP RPC services only)
630
(\fIunlisted\fP non-RPC services only)
634
The following attributes support all assignment operators:
650
(does not support the
656
These attributes can also appear more than once in a service entry.
657
The remaining attributes support only the
659
operator and can appear at most once in a service entry.
661
The configuration file may also contain a single defaults entry
671
<attribute> = <value> <value> ...
680
This entry provides default attribute values for service entries that
681
don't specify those attributes. Possible default attributes:
735
Attributes with a cumulative effect can be specified multiple times
736
with the values specified each time accumulating (i.e. '=' does
737
the same thing as '+=').
738
With the exception of
740
they all have the same meaning as if they were specified in a service entry.
742
determines services that are disabled even if they have entries in
743
the configuration file. This allows for quick reconfiguration by
744
specifying disabled services with the
746
attribute instead of commenting them out.
747
The value of this attribute is a list of space separated service ids.
749
has the same properties as disabled. The difference being that
751
is a list of which services are to be enabled. If
753
is specified, only the services specified are available. If
755
is not specified, all services are assumed to be enabled,
756
except those listed in
759
.\" *********************** INTERNAL SERVICES ****************************
760
.SH "INTERNAL SERVICES"
762
\fBxinetd\fP provides the following services internally (both
763
stream and datagram based):
770
These services are under the same access restrictions as all other
771
services except for the ones that don't require \fBxinetd\fP to fork
772
another process for them. Those ones (\fItime\fP, \fIdaytime\fP,
773
and the datagram-based \fIecho\fP, \fIchargen\fP, and \fIdiscard\fP)
774
have no limitation in the number of
777
.\" *********************** TCPMUX Services ****************************
778
.SH "TCPMUX Services"
780
\fBxinetd\fP supports TCPMUX services that conform to RFC 1078. These services
781
may not have a well-known port associated with them, and can be accessed via
782
the TCPMUX well-known port.
784
For each service that is to be accessed via TCPMUX, a service entry in
785
\fB/etc/xinetd.conf\fP or in a configuration file in an \fBincludedir\fP
786
directory must exist.
788
The \fIservice_name\fP field (as defined above for each service in any
790
configuration file) must be identical to the string that is passed (according
791
to RFC 1078 protocol) to \fBxinetd\fP when the remote service requestor first
792
makes the connection on the TCPMUX well-known port. Private protocols should
793
use a service name that has a high probability of being unique. One way is to
794
prepend the service name with some form of organization ID.
796
The \fItype\fP field can be either \fBTCPMUX\fP or \fBTCPMUXPLUS\fP. If the
797
type is \fBTCPMUXPLUS\fP, \fBxinetd\fP will handle the initial protocol
798
handshake (as defined in RFC 1078) with the calling process before initiating
799
the service. If the type is \fBTCPMUX\fP, the server that is started is
800
responsible for performing the handshake.
802
The \fItype\fP field should also include \fBUNLISTED\fP if the service is
803
not listed in a standard system file
808
for non-RPC services).
810
The \fIsocket_type\fP for these services must be \fBstream\fP, and the
811
\fIprotocol\fP must be \fBtcp\fP.
813
Following is a sample TCPMUX service configuration:
834
= /usr/etc/my_server_exec
841
Besides a service entry for each service that can be accessed
842
via the TCPMUX well-known port, a service entry for TCPMUX itself
843
must also be included in the \fBxinetd\fP configuration. Consider the following
872
.\" *********************** NOTES ****************************
875
The following service attributes \fIcannot\fP be changed on reconfiguration:
885
are not specified for a service (either directly or via \fIdefaults\fP)
886
the address check is considered successful (i.e. access will not be
889
The address check is based on the IP address of the remote host and
890
not on its domain address. We do this so that we can avoid
891
remote name lookups which may take a long time (since
893
is single-threaded, a name lookup will prevent the daemon from
894
accepting any other requests until the lookup is resolved).
895
The down side of this scheme is that if the IP address of a remote
896
host changes, then access to that host may be denied until
899
Whether access is actually denied or not will depend on whether the
900
new host IP address is among those allowed access. For example, if
901
the IP address of a host changes from 1.2.3.4 to 1.2.3.5 and
902
only_from is specified as 1.2.3.0 then access will not be denied.
906
log option is specified and the remote host either does not run an
907
identification server or the server sends back a bad reply,
908
access will not be denied unless the
910
service flag is used.
912
Interception works by forking a process which acts as a filter
913
between the remote host(s) and the local server.
914
This obviously has a performance impact so
915
it is up to you to make the compromise between security and performance
917
The following tables show the overhead of interception.
918
The first table shows the time overhead-per-datagram for a UDP-based service
919
using various datagram sizes.
920
For TCP-based services we measured the bandwidth reduction
921
because of interception while sending
922
a certain amount of data from client to server (the time overhead should
923
the same as for UDP-based services but it is "paid" only by the first
924
packet of a continuous data transmission).
925
The amount of data is given
926
in the table as \fIsystem_calls\fPx\fIdata_sent_per_call\fP, i.e.
929
system call transferred so many bytes of data.
930
The bandwidth reduction is given in terms of bytes per second and as
931
a percentage of the bandwidth when interception is not performed.
932
All measurements were done on a SparcStation IPC running SunOS 4.1.
938
Datagram size (bytes)
941
---------------------
977
.\" *********************** EXAMPLE ****************************
984
# Sample configuration file for xinetd
991
= FILE /var/log/servicelog
997
= 128.138.193.0 128.138.204.0
1008
# Note 1: the protocol attribute is not required
1009
# Note 2: the instances attribute overrides the default
1023
= /usr/etc/in.rlogind
1030
# Note 1: the instances attribute overrides the default
1031
# Note 2: the log_on_success flags are augmented
1069
+= DURATION HOST USERID
1071
= 2:00-9:00 12:00-24:00
1075
# Limit telnet sessions to 8 Mbytes of memory and a total
1076
# 20 CPU seconds for child processes.
1089
= /usr/etc/in.telnetd
1098
# This entry and the next one specify internal services. Since
1099
# this is the same service using a different socket type, the
1100
# id attribute is used to uniquely identify each entry
1135
# Sample RPC service
1147
= /usr/etc/rpc.rstatd
1155
= LD_LIBRARY_PATH=/etc/securelib
1160
# Sample unlisted service
1174
= /home/user/some_server
1181
.\" *********************** SEE ALSO ****************************
1188
.IR "Echo Protocol" ,
1193
.IR "Discard Protocol" ,
1198
.IR "Character Generator Protocol" ,
1203
.IR "Daytime Protocol" ,
1207
Postel J., Harrenstien K.,
1208
.IR "Time Protocol" ,
1213
.IR "TCP Port Service Multiplexer (TCPMUX)" ,
1218
.IR " Identification Protocol" ,
1221
.\" *********************** BUGS ****************************
1227
access control on the address of the remote host is not performed when
1228
\fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIstream\fP.
1230
The NOLIBWRAP flag is automatically turned on for RPC services whose
1231
\fIsocket_type\fP is \fIstream\fP because xinetd cannot determine the
1232
address of the remote host.
1237
access control on the address of the remote host for
1238
services where \fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIdgram\fP
1239
is performed only on the first packet. The server may then accept packets
1240
from hosts not in the access control list. This can happen with
1244
There is no way to put a
1246
in an environment variable.
1248
When \fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIstream\fP,
1249
the socket passed to the server can only accept connections.
1253
flag is not supported for internal services or multi-threaded services.