Skip to content

Understanding your
(Red Hat Enterprise Linux) daemons

by Len DiMaggio

A Unix daemon is a program that runs in the “background,” enabling you to do other work in the “foreground,” and is independent of control from a terminal. Daemons can either be started by a process, such as a system startup script, where there is no controlling terminal, or by a user at a terminal without “tying up” that terminal as the daemon runs. But which daemons can you safely play with? Which should you leave running?

An introduction to daemons

The real-world (i.e., non-computer) definition of “daemon” is either a spirit (an evil one) or an inner or private voice. It’s interesting to note that each of the real-world definitions actually does apply to Unix daemon programs. Like mythological daemons, Unix daemon programs skulk around unseen in the background just as a daemon would. And daemons act like an inner voice in that they can run continuously and, like a conscience, can always be accessed. The word “daemon” is one of those cases of chicken and egg computer acronyms in search of a definition and supposedly is based on “Disk And Execution MONitor” program.

An introduction to services

The daemons referenced in /etc/init.d are configured to be run as Linux services. Services are programs that are started and stopped through the init scripts in the /etc/init.d directory. Many of these services are launched when the system is booted. The /sbin/service utility provides a consistent interface to executing the init scripts. The init scripts provide a consistent interface to managing a service by providing options that start, stop, restart, query status, and perform other actions on services. For example, the httpd service init script provides these options:

/sbin/service httpd
Usage: httpd {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}

You can view the current state of all services with this option to the service utility:

/sbin/service –status-all
acpid (pid 2481) is running...
anacron (pid 2647) is running...
atd (pid 2657) is running...
auditd (pid 2189) is running...
....

Runlevel information for these services, that is, the settings for which system runlevel the service will be started at boot time, can be queried and modified with the chkconfig utility. For example, to query the current settings for the syslog service:

/sbin/chkconfig --list syslog
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

This shows that that syslog service will be automatically started at boot-time for runlevels 2, 3, 4, and 5. To set the service to not start for runlevels 3 and 4 (not a good idea, by the way), you would use these options for the chkconfig utility:

/sbin/chkconfig –levels 34 syslog off

The /usr/bin/system-config-services utility provides a GUI interface that enables you to both query and modify the current state of a service, as well as its defined run levels. See Illustration 1.

Illustration 1
Illustration 1: The /usr/bin/system-config-services utility GUI

Let’s look at how these services and daemons appear in output from ps. Here’s a short list:

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 23:36 ?        00:00:00 init [5]
root      2161     1  0 23:37 ?        00:00:00 auditd
root      2177     1  0 23:37 ?        00:00:00 syslogd -m 0
root      2180     1  0 23:37 ?        00:00:00 klogd -x
root      2207     1  0 23:37 ?        00:00:00 mcstransd
root      2254     1  0 23:37 ?        00:00:00 rpc.statd
root      2287     1  0 23:37 ?        00:00:00 rpc.idmapd
root      2577     1  0 23:37 ?        00:00:00 crond
root      2631     1  0 23:37 ?        00:00:00 /usr/sbin/atd
root      2654     1  0 23:37 ?        00:00:00 rhnsd --interval 240

What’s important to note here? (Other than I’m staying up too late at night, that is.) For each of the daemons, the parent process ID (PPID) is 1. This indicates that the daemons were started up during the boot process by init.

A useful tool for viewing the “tree” of processes and their parents is “pstree.” Here’s a fragment of the output from pstree:

init-+
     |-NetworkManager---2*[{NetworkManager}]
     |-NetworkManagerD
     |-acpid
     |-atd
     |-auditd-+-python
     |        `-{auditd}
     |-avahi-daemon---avahi-daemon
     |-bonobo-activati---{bonobo-activati}
     |-crond
     |-cupsd---cups-polld
     |-2*[dbus-daemon---{dbus-daemon}]
     |-dbus-launch
     |-dhcdbd---dhclient

A closer look at your system’s daemons

So much for background information. Let’s take a look at your system’s daemons and see which ones you can safely play with. Note that for this article, the system used was running the Red Hat Enterprise Linux Beta 2 release, workstation configuration. Based on your specific system, you may see more or fewer daemons, or even some not included here.

We’ve listed web-sites where you can learn more about these daemons, but the best place to start learning is the manpage. O’Reilly also has an excellent alphabetic index of Linux commands and wikipedia.org has entries for most of these daemons. And, don’t forget to look in the README files.

acpid

This is the daemon for the Advanced Configuration and Power Interface (ACPI). ACPI is an open industry standard for system control related actions, most notably plug-and-play hardware recognition and power management, such as startup and shutdown and putting systems into low poser consumption modes.

You’ll probably never want to shut down this daemon, unless you are explicitly instructed to do so to debug a hardware problem.

Learn more:
http://www.acpi.info

anacron

One of the problems with living on a laptop, as so many of us do these days, is that when you set up a cron job to run, you can’t always be sure that your laptop will be running at the time that the job should run. anacron (the name refers to its being an “anachronistic cron”) gets around this problem by scheduling tasks in days. For example, anacron will run a job if the job has not been run in the specified number of days.

When are you safe not running anacron? When your system is running continuously. Should you simply stop cron from running if you have anacron running? No; anacron is able to specify job intervals in days, not hours and seconds.

Learn more:
http://anacron.sourceforge.net

apmd

This is the daemon for the Advanced Power Management (APM) BIOS driver. The APM hardware standard and apmd are being replaced by ACPI and acpid. If your hardware supports ACPI, then you don’t need to run apmd.

atd

This is the daemon for the at job processor (at enables you to run tasks at specified times). You can turn off this daemon if you don’t use it.

autofs

This daemon automatically mounts disks and file systems that you define in a configuration file. Using this daemon can be more convenient that explicitly mounting removable disks.

Learn more:
http://freshmeat.net/projects/autofs

auditd

The Linux Auditing System provides kernel-resident logging of system calls and user space tools to collect and view the logs. The auditd daemon writes the logging records to disk. auditd is configurable to allow control over what information is written to the logs.

Why should you keep auditd running? The information in the log may prove useful in debugging security-related issues. For example, auditd is used to log SELinux events. There are also utilities such as aureport that enable you to view the audit log. Here’s an example of a report generated by aureport:

Summary Report
======================
Range of time in logs: 11/28/2006 06:07:04.800 - 02/06/2007 21:10:09.957
Selected time for report: 12/31/1969 19:00:00 - 02/06/2007 21:10:09.957
Number of changes in configuration: 285
Number of changes to accounts, groups, or roles: 32
Number of logins: 145
Number of failed logins: 11
Number of users: 2
Number of terminals: 22
Number of host names: 11
Number of executables: 27
Number of files: 91
Number of AVC denials: 688
Number of MAC events: 12
Number of failed syscalls: 404
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 14022
Number of events: 70694

Avahi-daemon and avahi-dnsconfd

The Avahi website defines Avahi as: ‘a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to, or find files being shared…’ Avahi is a Zeroconf implementation. Zeroconf is an approach that enables users to create usable IP networks without having special configuration servers such as DNS servers.
A common use of the avahi-daemon is with Rhythmbox, so you can see music that is made available to be shared with others. If you’re not sharing music or files on your system, you can turn off this daemon.

Learn more:
http://avahi.org
http://zeroconf.org

Bluetooth and hidd and pand

The name says it all. Run this service to enable your system to make use of Bluetooth devices. The name of the actual daemon is hcid (Host Controller Interface Daemon).

There’s also a daemon named hidd. This is the Bluetooth Human Interface Device Daemon. It provides keyboard, mouse, and track-ball device support over Bluetooth.

And, there’s pand. This daemon enables your computer to connect to ethernet networks using Bluetooth.

Learn more:
http://www.bluetooth.com
http://bluez.sourceforge.net/contrib/HOWTO-PAN

capi

This daemon supports the Common ISDN Application Programming Interface. You’ll run this if you’re connecting to ISDN hardware components. The service runs capiinit.

Learn more:
http://www.capi.org/pages

conman

No, this isn’t related to late-night infomercials about real estate investing. The conman service (and the conmand daemon) support console management. This supports multiple console devices and simultaneous users. It supports local serial devices and remote terminal servers (via the telnet protocol). If you’re managing multiple servers, you may want to run conman.

Learn more:
http://home.gna.org/conman/

cpuspeed

This daemon adjusts the CPU speed based on the power consumption. Less power is used when the CPU is idle, and more power is available when needed to improve performance. If you’re running on a laptop, you might want to consider running cpuspeed.

Learn more:
http://carlthompson.net/Software/CPUSpeed

crond

This daemon automates the running of tasks. These jobs are necessary for any Linux or Unix system. Don’t stop or disable this one.

Learn more:
http://www.unixgeeks.org/security/newbie/unix/cron-1.html
http://www.linuxhelp.net/guides/cron/

CUPS and cups-config-daemon

This daemon is the “Common UNIX Printing Solution.” Like the name implies, it’s a printing system that can handle multiple data formats and printers. If you want to print, leave this daemon running.

Learn more:
http://www.cups.org
http://www.easysw.com/cups/index.php

dhcdbd

This is the DHcp Client D-Bus Daemon. According to The Free DeskTop wiki,

D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a “single instance” application or daemon, and to launch applications and daemons on demand when their services are needed.

Do you want to run this daemon? If you’re running your system on a network (and who isn’t?), especially if you’re moving between networks such as when you move from a wired network to wireless as you move around your office, then you should be running NetworkManager. (We’ll discuss NetworkManager in a bit.)

The dhcdbd daemon provides a D-Bus interface to dhclient, the DHCP client from ISC. This makes it possible for NetworkManager can to query and control dhclient.

Learn more:
http://www.freedesktop.org/wiki/Software/dbus

gpmd

This daemon enables you to use your mouse in text-based applications such as the Midnight Commander file manager and on the console. You might find this useful if you’re working through situations in the console; otherwise, you’ll be working in the X windowing system and you might never need gpmd.

hald

No, this isn’t related to the evil computer in the film “2001, A Space Odyssey.” In this context, HAL refers to the “Hardware Abstraction Layer.” The HAL daemon collects this information about hardware devices from the kernel and the hardware and makes it available in a consistent manner.

Don’t turn off this daemon. Multiple applications rely on it.

Learn more:
Desktop and hardware configuration,” by David Zeuthen

hplipd

This daemon supports HP Linux Imaging and Printing (HPLIP) for printing, scanning, and faxing with HP inkjet and laser printers. HPLIP works CUPS by providing a backend to connect to HP devices.

Learn more:
http://hplip.sourceforge.net

hsqldb

This is the daemon for a Java relational database. The daemon gets its name from the Hypersonic SQL project that has been discontinued. hsqldb is used widely in open source projects such as OpenOffice (it’s the database behind the “base” feature) and is often used in demonstration programs, as it can run entirely in memory. It also runs fast. Should you run this daemon? Only if you have a specific program that makes use of it. But, it’s a very useful tool, and if you’re not familiar with it, it’s worth taking a look.

Learn more:
http://hsqldb.org
http://dba.openoffice.org

httpd

The Apache web server. Used by almost 60% of all websites. If you want to host a website, you run Apache. Need we say more?

Learn more:
http://httpd.apache.org

ip6tables and iptables

These daemons are firewalls. A firewall, according to Wikipedia, is an “information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization’s security policy. Firewalls can either be hardware and/or software based.”

iptables functions by maintaining tables of IPv4 packet filter rules in the kernel. It checks incoming and outgoing packets against these rules and blocks packets that don’t meet the rules. ip6tables does the same for IPv6 packets.

Which should you run? Both. Always. It’s a dangerous world on the ‘net.

Learn more:
http://www.netfilter.org
http://www.ipv6.org

irda

IrDA (Infrared Data Association) is an industry standard for inter-device wireless, infrared communications. Most laptops are configured with an IrDA infrared transceiver. You only need to run this daemon if you need to communicate via an infrared connection to other devices.

Learn more:
http://irda.sourceforge.net

irqbalance

This daemon distributes hardware interrupts to the CPUs in SMP (symmetric processor: multi-processor architecture) systems to increase performance. The daemon balances savings in power consumption with performance.

You need not run this daemon on single processor systems, as it only has an effect on multiple-processor systems. Red Hat Kbase articles1 indicate that irqbalance is relevant on x86, x86_64, and AMD systems.

Learn more:
http://www.irqbalance.org

kudzu

This is a very useful daemon. At boot time, it detects if hardware devices have been added to or removed from the the system. It’’s worthwhile to run kudzu at boot time, even if you don’t plan on adding or removing hardware often. You might run into a situation where you add a device and just assume that the system will figure out that it’s there. Also, since kudzu only runs at boot time, and does not stay running, there’s no performance hit on the system.

Learn more:
http://fedora.redhat.com/projects/additional-projects/kudzu

lisa

This daemon gets its name from Lan Information Server. lisa provides a function similar to the MS-Windows Network Neighborhood and provides you access to servers, including CIFS (Common Internet File Systems) servers on your network. lisa only needs the TCP/IP stack to function. It sends ICMP echo requests to ranges of IP address that you define in its configuration file and waits for responses.

Learn more:
http://docs.kde.org/stable/en/kdenetwork/lisa
http://docs.kde.org/userguide/networking-with-windows.html
http://lisa-home.sourceforge.net

lm_sensors

This daemon supports monitoring temperatures, voltages, and cooling fans. In order to make use of this daemon, your system hardware has to include sensors to perform this monitoring. You can only run this daemon if your hardware can support if. You probably don’t want to run this daemon on a workstation. It’s more likely to be used for hi-end, mission critical servers.

Learn more:
http://www.lm-sensors.org
http://freshmeat.net/projects/lm_sensors

mcstrans

SELinux Context Translation System Daemon. This daemon translates security context informartion into a human readable form. You can probably stop this daemon, but if you do, you’ll see a change in the SELinux information displayed with ls -Z. For example, with the daemon running, you’ll see:

ls -Z
-rw-r--r--  jsmith jsmith user_u:object_r:user_home_t      bookmarks.html
drwxr-xr-x  jsmith jsmith user_u:object_r:user_home_t      Desktop
-r-xr-xr-x  jsmith jsmith user_u:object_r:user_home_t      hello
-r--r--r--  jsmith jsmith user_u:object_r:user_home_t      hello.c

And, with it stopped, you’ll see:

ls -Z
-rw-r--r--  jsmith jsmith user_u:object_r:user_home_t:s0   bookmarks.html
drwxr-xr-x  jsmith jsmith user_u:object_r:user_home_t:s0   Desktop
-r-xr-xr-x  jsmith jsmith user_u:object_r:user_home_t:s0   hello
-r--r--r--  jsmith jsmith user_u:object_r:user_home_t:s0   hello.c

Note that with the daemon stopped, the security context value of “s0” is displayed. mctrans translates this to a null display. Other security contexts are translated from alphanumeric values in their names.

Learn more:
http://fedoraproject.org/wiki/SELinux/Understanding
http://danwalsh.livejournal.com

mdmonitor and mdmpd

These two daemons are used with RAID (redundant array of inexpensive/independent disks) data storage systems. Mdmonitor starts, stops, and reloads the mdadm (multipath device monitoring and management) software RAID monitoring and management utilities. You should only run these daemons if you have RAID storage in your system.

Learn more:
http://www.linuxdevcenter.com/pub/a/linux/2002/12/05/RAID.html

messagebus

This is the D-BUS system-wide message bus daemon. This daemon broadcasts notifications of system events and such as changes in the printer queue or the adding and removing of devices. (Note that this is not the same operation as Kudzu, as it can take place while the system is running and not only at boot time.)

Learn more:
http://www.freedesktop.org/software/dbus

netplugd and ifplugd

These daemons configure Ethernet devices when cables are plugged in and deconfigure them when the cables are removes. Why would you want this to happen? It makes sense for laptops so that your network connections are only brought up when their cables are attached.

Note that the development of netplugd has been discontinued in favor of ifplugd.

Learn more:
http://0pointer.de/lennart/projects/ifplugd

NetworkManager and NetworkManagerDispatcher

The NetworkManager daemon automates switching between network connections. This is a useful daemon for laptop users who switch between wireless WiFi connections and Ethernet connections. The NetworkManagerDispatcher daemon automatically runs scripts (including scripts to force any actions that you want to have happen such as setting up specific routes) when NetworkManager changes the network state.

Learn more:
http://www.gnome.org/projects/NetworkManager

named

This daemon is the Domain Name Server. You’ll need to run this daemon only if your system is acting as a DNS server for your network.

Learn more:
http://www.dns.net/dnsrd

nfsd

The nfs daemon supports the nfs communications protocol for file sharing across TCP/IP networks. You’ll want to run this daemon if you make use of file systems shared with nfs.

Learn more:
http://nfs.sourceforge.net

nscd

This is the name service cache daemon. It takes care of group and password lookups for running programs and then caches the lookup results for the next query for services that can experience slowness in picking up changes such as NIS or LDAP. If you’re running these services, you may want to run nscd.

ntpd

This is the Network Time Protocol daemon. This deamon sets and maintains the system time of day by keeping it in synch with Internet standard time servers. If your system is connected to the Internet (and who isn’t?) then running ntpd will keep your system time correct.

Learn more:
http://www.ntp.org

oddjobd

The oddjobd daemon provides the com.redhat.oddjob service on the system-wide message bus. Each facility which oddjobd provides is provided as a separate D-Bus method. oddjobd provides support for unprivileged applications that require privileged operations to be performed.

You should only run this daemon if you are using an application that requires it, such as Conga.

Learn more:
http://people.redhat.com/nalin/oddjob/oddjob.html
http://sourceware.org/cluster/conga

openvpn

This daemon supports virtual private networks (VPNs). The daemon startup script says it all:

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port.

If your system is a node in a VPN, then you’ll probably run OpenVPN.

Learn more:
http://openvpn.net

pcscd

This is the PC/SC Smart Card Daemon. pcscd is the daemon for pcsc-lite (middleware for accessing smart cards) and the (java-based) MuscleCard framework. It enables communications with smart card readers and smart cards.

(A smart card is a card that is embedded with either a memory chip or microprocessor and a memory chip. And Muscle is the Movement for the Use of Smart Cards in a Linux Environment.)

Learn more:
http://www.smartcardalliance.org
http://pcsclite.alioth.debian.org
http://www.linuxnet.com/musclecard/index.html

portmap

The portmapper daemon manages RPC (remote procedure call) connections. It converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers. The most common use of portmapper is by NFS and NIS.

So, if your system relies on NIS or NFS, don’t turn off the portmap daemon.

Learn more:
http://www.linux-nis.org/nis-howto/HOWTO/portmapper.html

postfix

This daemon is a mail transport agent. Unless your system is a mail relay server, you don’t need to run this daemon.

Learn more:
http://www.postfix.org

rdisc

This daemon (the router discovery daemon) discovers routers on the local subnet. It is run at boot time to populate the network routing tables with default routes.

Learn more:
http://www.informit.com/articles/article.asp?p=23951&rl=1

restorecond

This is an SELinux daemon. restorecond watches for file creation (of files listed in /etc/selinux/restorecond.conf) and then ensures that the files have the correct file context associated with the policy, and then sets the default SELinux file context.

Don’t turn this one off. SELinux needs it.

Learn more:
http://fedoraproject.org/wiki/SELinux/Understanding
http://danwalsh.livejournal.com/

rhnsd

This daemon periodically checks for actions that have been scheduled though the Red Hat Network web interface and runs them. This includes actions such as installing, removing, or updating software, rebooting the system, starting a kickstart installation, or installing configuration files.

Learn more:
https://www.redhat.com/rhn/

rpcgssd and rpcidmapd and rpcsvcgssd

The rpcgssd and rpcsvcgssd daemons handle security for RPC. The rpcidmapd maps user names to UID and GID numbers.

If you’re running NFS or NIS, then you should have these daemons running.

Learn more:
http://nfs.sourceforge.net/

readahead_early and readahead_later

The readahead daemon causes the programs used during startup to be loaded into memory before they are needed, to improve startup performance.

saslauthd

This is the SASL authentication server daemon. SASL is the Simple Authentication and Security Layer and allows for adding authentication to connection-based protocols.

Learn more:
http://asg.web.cmu.edu/sasl

sendmail

This is a SMTP (Simple Mail Transfer Protocol) server. sendmail moves mail from one system to another as a Mail Transport Agent. If you run a mail program such as Thunderbird or Evolution, you don’t need to run sendmail.

Learn more:
http://www.sendmail.org

setroubleshoot

This is the SELinux Troubleshooting Daemon. setroubleshooter is one of the great recent additions to SELinux. setroubleshooter provides real-time feedback to users on SELInux AVC denials. And it provides this feedback in a easy to follow format.

Learn more:
https://hosted.fedoraproject.org/projects/setroubleshoot

smartd

This daemon monitors the SMART (Self-Monitoring, Analysis and Reporting Technology) systems included in many types of disk drives, such as SCSI-3 type drives. The daemon will monitor reliability and performs self-tests. You should run this daemon if your hardware supports it.

Learn more:
http://sourceforge.net/projects/smartmontools

spamassassin

This daemon uses the Apache SpamAssassin program to check email for SPAM. It is usually run on a mail deleivery agent (MDA) server. If you use a client program such as Thunderbird or Evolution to access your mail, then you don’t need to run spamassassin.

Learn more:
http://spamassassin.apache.org

sshd

This is the daemon for open ssh. ssh replaces the insecure rsh and rlogin programs and enables encryption for communications between hosts over insecure networks. If you connect with other systems over the public Internet, you want to use ssh and run this daemon.

Learn more:
http://www.ssh.com
http://www.openssh.com

syslog

syslog is the standard logging system for Linux systems. Don’t turn this one off.

Learn more:
http://www.syslog.org

winbind

This daemon is part of the Samba suite and enables Windows domain users to function as Unix users on Unix servers. You may want to run this daemon if you’re dealing with a mixed PC and Linux/Unix network.

Learn more:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
http://www.samba.org

xfs

This damon is the xfs font server. This daemon loads fonts into memory to enable X applications to run faster than if they had to load the fonts from disk. This daemon is worth running to improve application performance.

Learn more:
http://linuxreviews.org/howtos/xfree/xfs

ypbind

This daemon binds NIS clients to an NIS domian. The “yp” refers to “yellow pages,” as the NIS directory of user accounts acts like the telephone book yellow pages. You only want to run this daemon if your system relies on NIS (Network Information Service) for user accounts and system names.

Learn more:
http://www.linux-nis.org

yum-updatesd

yum-updatesd checks for software updates and can send notifications of these updates via mail, dbus, or syslog messages, or can automatically install the updates. The dbus messages are picked up by the “puplet” (package updater), which notifies the user of the updates and lets the user install them.

Learn more:
http://linux.duke.edu/projects/yum
http://www.redhat.com/magazine/024oct06/features/fc62

References

“Which Services Can I Disable?,” Dinkar, Tejas
Linux Services, Devices, and Daemons
Fedora Core 3 Linux Services
Services in Fedora, Mauriat Miranda