identd — opaque UCSPI-TCP IDENT server
identd {root}
identd provides opaque IDENT service. Its raison d'être is to handle other machines that might be running tcpserver(1) without the -R option, or some such, without just refusing IDENT service outright.
The Bernstein convention is for root to be /public/file, but it can use other conventional locations such as /home/publicfile/public or /var/www.
identd accepts a request on standard input, and responds in a fixed manner on standard output. identd also prints local log information on standard error.
If identd runs out of memory, encounters an I/O error, or does not receive an input line within 60 seconds, it exits silently.
Normally identd is run under a UCSPI-TCP server program (tcp-socket-accept, s6-tcpserver, or tcpserver spawning a server program per connection) to handle IDENT connections from hosts around the Internet. It can also be run under a UCSPI-SSL server program, although no-one uses IDENT/SSL.
identd chroots to root when it starts.
It then sets its group id and user id to the numbers given in environment variables GID and UID, as set by envuidgid (or equivalent).
/etc/leapsecs.dat file before the chroot, and does not require it to be copied under root .
The root argument, changed root, and dropped privileges exist because of security code common to all publicfile services.
identd provides a purely opaque service that provides clients with no real information.
It accesses no files, nor obtains information about any sockets, nor looks up anything in any login or account database.
identd does not even validate the syntax of the requests, beyond that they are lines or characters ending in CRLF.
Its fixed response identifies all requests, extant connections or not, as belonging to root on Xenix.
Attackers can fingerprint that a system is running this identd, as opposed to one that actually publishes real information, but not the system that it is running on or anything about that system.