- Table of Contents
- Copyright
- About the Author
- Acknowledgments
- Tell Us What You Think!
- Introduction
- Part I: Introduction to Mac OS X
- Chapter 1. Mac OS X Component Architecture
- Chapter 2. Installing Mac OS X
- Chapter 3. Mac OS X Basics
- Chapter 4. The Finder: Working with Files and Applications
- Chapter 5. Running Classic Mac OS Applications
- Part II: Inside Mac OS X
- Chapter 6. Native Utilities and Applications
- Chapter 7. Internet Communications
- Chapter 8. Installing Third-Party Applications
- Part III: User-Level OS X Configuration
- Chapter 9. Network Setup
- Chapter 10. Printer and Font Management
- Chapter 11. Additional System Components
- Part IV: Introduction to BSD Applications
- Chapter 12. Introducing the BSD Subsystem
- Chapter 13. Common Unix Shell Commands: File Operations
- Part V: Advanced Command-Line Concepts
- Chapter 14. Advanced Shell Concepts and Commands
- Chapter 15. Command-Line Applications and Application Suites
- Chapter 16. Command-Line Software Installation
- Chapter 17. Troubleshooting Software Installs, and Compiling and Debugging Manually
- Chapter 18. Advanced Unix Shell Use: Configuration and Programming (Shell Scripting)
- Part VI: Server/Network Administration
- Chapter 19. X Window System Applications
- Chapter 20. Command-Line Configuration and Administration
- Locating and Editing the OS X Configuration Files
- System Services
- Summary
- Chapter 21. AppleScript
- Chapter 22. Perl Scripting and SQL Connectivity
- Chapter 23. File and Resource Sharing with NetInfo
- Chapter 24. User Management and Machine Clustering
- Chapter 25. FTP Serving
- Chapter 26. Remote Access and Administration
- Chapter 27. Web Serving
- Part VII: Server Health
- Chapter 28. Web Programming
- Chapter 29. Creating a Mail Server
- Chapter 30. Accessing and Serving a Windows Network
- Chapter 31. Server Security and Advanced Network Configuration
- Chapter 32. System Maintenance
- Appendix A. Command-Line Reference
- Appendix B. Administration Reference
System Services
Many programs run on your system to provide an assortment of services to you as a local user and to remote users contacting your system. These services range from obvious things (such as terminal services that allow you to connect to your machine from remote locations and file-sharing services) to less obvious but still useful services (such as the ones that provide wall-clock time information and remote machine status information).
Programs that provide service for all users on a machine are generally started by one of two different mechanisms. Either they are started at machine startup, by a series of shell-scripts that execute programs during boot. Or they are executed by a daemon that waits for requests for service, and starts the appropriate program to handle the request.
Modifying Startup Services
Services that need to be continuously present, such as the software that configures and maintains network connections, are started from startup scripts. These startup scripts are kept in subdirectories of the /System/Library/StartupItems directory, and are simply shell scripts (such as you learned about in Chapter 18), that perform simple logic to make certain that everything is right with the system, and start the appropriate software.
As shipped, your OS X machine should have a complement of items in the StartupItems folder similar to that shown in Table 20.3. Don't worry if your /System/ L i brary/StartupItems/ doesn't contain exactly these items. Depending on what installation options you've chosen, and whether any additional software has been installed by the time you're reading this, your system might display some differences.
Table 20.3. Typical Items in the /System/Library/StartupItems/ Directory
| Accounting | Handles process accounting, if you care to log every action that every user or process takes |
| Apache | The Web server |
| AppServices | Assorted support services for the overall GUI interface |
| AppleShare | AppleShare file sharing |
| AppleTalk | AppleTalk network services |
| AuthServer | User authentication services |
| Cleanup | A collection of routines that remove temporary files and log files that are probably just cluttering up space |
| ConfigServer | Allows the machine to tell itself and, potentially, other machines you want to function similarly, about its configuration |
| CrashReporter | Reports system crashes to Apple, if desired |
| Cron | A service that runs various programs at specified times or specified intervals |
| DirectoryServices | Manages directory information for exchanging data between the Unix subsystem and the GUI portions of the interface |
| Disks | Controls disk operations |
| Ipservices | Controls some services related to TCP/IP networking |
| NFS | Controls use of and access to the NFS (Network File System) Unix file sharing protocol |
| Network | Configures and controls the network interface |
| NetworkTime | Interacts with the network time server |
| Portmap | Provides connectivity between remote machines, and services on your machine that don't have defined TCP/IP ports that they run on |
| SSH | Secure Shell suite startup configuration |
| SecurityServer | Part of user authentication software |
| Sendmail | Configures and controls the mail server |
| SystemLog | Configures the system logging daemon |
| SystemTuning | Apple-specific script that turns on and off assorted services to optimize the system performance |
Each of these directories contains a number of items—typically a file named after the name of the directory, a directory named Resources, and a file named StartupParameters.plist (which oddly, isn't an XML file). The file named after the directory (and service), is the actual shell script that is run at system boot time. The Resources directory typically contains directories of "resource-like" information, such as files that contain language-replacement strings for language localization. The StartupParameters.plist contains a collection of variables and associated values that affect the operation of the service started.
Listing 20.9 shows a simple StartupItems shell script—this one starts the Apache HTTPD (Web) server.
Example 20.9. The Apache HTTPD StartupItems Shell Script
1 #!/bin/sh
2
3 ##
4 # Start Web Server
5 ##
6
7 . /etc/rc.common
8
9 if [ "${ WEBSERVER:=-NO-} " = "-YES-" ]; then
10 ConsoleMessage "Starting web server"
11
12 apachectl start
13 fi
In this listing, items starting with the # sign are comments. The meaning of the lines in the script can be summarized in a simple manner:
- Line 7 sources the script /etc/rc.common, where many system-wide definitions are made.
- Line 9 checks the value of the variable WEBSERVER, and determines whether the value is YES or NO. This value actually is extracted from the /etc/hostconfig file shown in Listing 20.2.
- If Line 9 finds a YES, line 10 sends a message to the console that says Starting web server.
- Line 12 executes the program apachectl with the argument start. apachectl is actually another shell script, specific to the Apache installation, which handles all the real work of starting the service.
- Line 13 fi is if backwards, and it terminates the conditional expression started by the if on line 9.
The English language locale configuration for the Apache StartupItems (Apache/Resources/English.lproj/Localizable.strings) is shown in Listing 20.10.
Example 20.10. The English Language Locale Configuration for the Apache StartupItems
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<key>Starting Apache web server</key>
<string>Starting Apache web server</string>
</dict>
</plist>
This XML file specifies a key, the expression Starting Apache web server, and a local (English) replacement string for that expression Starting Apache web server. If everything works as intended, whenever the program attempts to print the key value, the system will instead output the replacement string value. Because this isn't quite obvious from the English example, Listing 20.11 shows the Spanish.lproj version of the Locali z able.strings file.
Example 20.11. Spanish.lproj Version of the Localizable.strings File for the Apache Web Server
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<key>Starting Apache web server</key>
<string>Iniciando servidor Apache</string>
</dict>
</plist>
Here, it is more obvious that the localization file is requesting a search to find Starting Apache web server, and replacing it with the Spanish equivalent. Amusingly, the startup script itself doesn't output Starting Apache web server; it outputs Starting web server. So, although this is one of the most concise examples of the relation between the Resource items and the StartupItems script, it doesn't appear to be the most correct.
inetd Services
As mentioned earlier, the inetd service, configured by the /etc/inetd.conf file, actually is a service that starts and controls other services. It's not practical to start an unlimited number of some types of network services and leave them running, right from startup. Depending on the use of your machine, some services might be needed in great numbers; for example, the ftpd FTP server processes, if you serve particularly interesting data and have many people connecting simultaneously. Others might be used hardly at all, such as the sprayd network diagnostic daemon. Or, on your system, the use pattern might be the opposite—but regardless of the use, patterns are likely to vary over time. For many of these types of services, the system relieves you of the task of trying to provide the right number of these servers in some manual configuration process, by using the inetd daemon to configure and run them on an as-needed basis.
The inetd.conf file then is the file that tells inetd which services it should start and how. A typical inetd.conf file is shown in Listing 20.12, and has the form of a set of lines, with each line containing a specification for a service. The service specification lines consist of a set of fields separated by tabs or spaces. The fields that must occur on each line are shown in the following list, with a brief description of the data that belongs in them.
- Service name (used to look up service port in NetInfo services map)
- Socket type (stream, dgram, raw, rdm, or seqpacket)
- Protocol (tcp or udp, rcp/tcp, or rcp/udp)
- Wait/nowait (for dgrams only—all others get nowait; should the socket wait for additional connections)
- User (user to run the service as)
- Server program (actual path to binary on disk)
- Server program arguments (how the command line would look, if typed, including server name)
Listing 20.12 shows an inetd.conf file from a running machine, with a few useful network services enabled.
Example 20.12. An inetd.conf File from a Running Machine, with a Few Useful Network Services Enabled
#
# Internet server configuration database
#
# @(#)inetd.conf 5.4 (Berkeley) 6/30/90
#
# Items with double hashes in front (##) are not yet implemented in the OS.
#
#finger stream tcp nowait nobody /usr/libexec/tcpd fingerd -s
ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l
#login stream tcp nowait root /usr/libexec/tcpd rlogind
#nntp stream tcp nowait usenet /usr/libexec/tcpd nntpd
ntalk dgram udp wait root /usr/libexec/tcpd ntalkd
#shell stream tcp nowait root /usr/libexec/tcpd rshd
#telnet stream tcp nowait root /usr/libexec/tcpd telnetd
#uucpd stream tcp nowait root /usr/libexec/tcpd uucpd
comsat dgram udp wait root /usr/libexec/tcpd comsat
#tftp dgram udp wait nobody /usr/libexec/tcpd tftpd /private/tftpboot
#bootp dgram udp wait root /usr/libexec/tcpd bootpd
##pop3 stream tcp nowait root /usr/libexec/tcpd /usr/local/libexec/popper
##imap4 stream tcp nowait root /usr/libexec/tcpd
 /usr/local/libexec/imapd
In Listing 20.12, service control lines that have a # symbol in front of them are turned off. Because this machine doesn't provide many network services to the outside world, the majority of the services are turned off. Only the ftpd (ftp server), ntalkd (talk daemon, provides chat-like services), and comsat (provides new mail notification service) are turned on. To turn on additional services, simply uncomment (remove the # sign) the line, and restart inetd by sending it an HUP signal.
kill -HUP <inetd pid>
We strongly recommend that you leave your telnet daemon and rlogin daemon disabled because these are both significant security risks. You're already familiar with the ssh (Secure Shell) programs for connecting to remote machines. Chapter 26 will cover installing and configuring the sshd daemon on your own machine, and this service will provide a secure replacement for the functionality of the telnet and shell daemons.
You will notice that according to the file format definition given earlier, the program started by many of the lines is exactly the same: /usr/libexec/tcpd. This is part of a security mechanism, whereby inetd doesn't start the actual service, but instead starts yet another service, which starts the desired final service. The intermediate service, the program /usr/libexec/tcpd, is the TCP Wrappers program. This program can be configured to intercept requests for network services, and allow them to continue only if the request comes from an authorized remote host. TCP Wrappers lives as an intermediate service between the inetd service and the end services that it delivers because the inetd-to-end-service method of providing network services was well established before the magnitude of potential Internet security problems were discovered. It turned out to be easier to sneak a wrapper around the end service, and not worry about modifying the model or about having to add security-conscious code to each and every possible service. Chapter 31, "Server Security and Advanced Network Configuration," covers how to configure TCP Wrappers to increase your system security.
Summary | Next Section
Account Sign In
View your cart