Unable to get tftpd working.. please help
I recently tried to get tftpd working, but ran into a number of problems.
I want to lock down the tftp homedir (chroot) to a specific user, tftpd in my example. It seems, however, that no matter what I do in.tftpd is run as nobody when clients connect:
nobody 8984 188100 16:56:24 ?0:00 /usr/sbin/in.tftpd -s /tftpboot
In addition, I am having permission problems from the client side:
%Error opening tftp://x.x.x.x/test' (Permission denied)
Here is my tftpboot directory:
drwxrwxrwx 2 nobody root 512 Nov 14 16:42 tftpboot//
Within that directory:
-rw-r--r-- 1 nobody root 0 Nov 14 16:59 test
When I chmod 666 that file, it appears to work, but I am at a loss as to why. If in.tftpd is being run as "nobody" then why wouldn't 644 work?
Also, how can I modify the user that in.tftpd is run as?
inetadm shows the following:
SCOPENAME=VALUE
name="tftp"
endpoint_type="dgram"
proto="udp6"
isrpc=FALSE
wait=TRUE
exec="/usr/sbin/in.tftpd -s /tftpboot"
user="root"
Why isn't it being run as "root"? Also, if I change that to "tftpd" it doesn't seem to work, and I have created a user by that ID.
Any help would be appreciated.
Thanks,
# 1
What make you think that the daemon isnt chrooted to /the /tftpboot directory.
With the -s flag, tftpd does a setuid to nobody and chroots /tftpboot
The daemon is coded to do a setuid to nobody when it starts.
So it has be run initially as root, so it can change to nobody.
Why do you think it ought to be running as tftp.
Its supposed to run as a different user than the one that owns the directory so it can't write there for security.
Files in /tftpboot should be owned by a user other than nobody.
If you want a file to be readonly, make it world readable.
If you want it to be read/write make the file world writable.
Your message didnt indicate whether you were trying to get read or write access.
But if you were trying to do a read them making the files mode 644 should work.
# 2
What I am trying to do, is create a somewhat "secure" area for configuration archive. I do not want /tftpboot to be readable/writeable by any random user, other than what I have specified. The "owner" can be root, that is fine, but I want to limit visibility into /tftpboot using group permissions.
I've set the "sysadmin" group to be able to view the contents of the directory, and used 770 permissions on /tftpboot:
drwxrwx 2 root sysadmin 512 Nov 14 16:42 tftpboot//
With these settings, however, things are not working as expected, and when I attempt to copy to the server via tftp I get this error:
Nov 15 09:55:18 light tftpd[27802]: [ID 352300 daemon.error] tftpd: cannot chroot to directory /tftpboot: Permission denied
So my question(s) are:
1. What should the ownership be on /tftpboot to accomplish this?
2. What should the permissions be? I'd like to limit visibility into the directory; so 770 would be ideal, limiting the membership of the group. I've tried a number of methods, but cannot seem to get it to work unless I use 777 on everything.
Sorry for the lack of clarity in my first message, but hopefully I have cleared things up.
Thanks for your help..
Message was edited by:
ecables@sempraglobal.com
Message was edited by:
ecables@sempraglobal.com
# 3
I don't think that you can do what your asking for.
The tftpd man page explicitly says as a security measure, tftpd will only serve up world readable or writable files.
To some extent what your asking makes no sense anyway.
Since the contents of the directory are accessiblle by tftp, any random user will be able to access them using tftp. So stopping them from accessing the directory directly doesnt really achieve anything.
