From owner-freebsd-bugs Mon Apr 15 17:20:04 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA19674 for bugs-outgoing; Mon, 15 Apr 1996 17:20:04 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA19654 Mon, 15 Apr 1996 17:20:03 -0700 (PDT) Resent-Date: Mon, 15 Apr 1996 17:20:03 -0700 (PDT) Resent-Message-Id: <199604160020.RAA19654@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, imp@village.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA19235 for ; Mon, 15 Apr 1996 17:10:01 -0700 (PDT) Received: (from imp@localhost) by rover.village.org (8.7.5/8.6.6) id SAA02721; Mon, 15 Apr 1996 18:09:36 -0600 (MDT) Message-Id: <199604160009.SAA02721@rover.village.org> Date: Mon, 15 Apr 1996 18:09:36 -0600 (MDT) From: Warner Losh Reply-To: imp@village.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1145: tftpd should support -s Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1145 >Category: bin >Synopsis: tftpd should support -s >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Apr 15 17:20:01 PDT 1996 >Last-Modified: >Originator: Warner Losh >Organization: The village >Release: FreeBSD 2.1.0-RELEASE i386 >Environment: >Description: tftpd doesn't support -s. >How-To-Repeat: >Fix: Apply the following patch: Index: tftpd.8 =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/libexec/tftpd/tftpd.8,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 tftpd.8 --- tftpd.8 1994/05/27 12:39:25 1.1.1.1 +++ tftpd.8 1996/04/15 23:56:55 @@ -42,6 +42,7 @@ .Nm tftpd .Op Fl l .Op Fl n +.Op Fl s Ar directory .Op Ar directory ... .Sh DESCRIPTION .Nm Tftpd @@ -87,6 +88,15 @@ The given directories are also treated as a search path for relative filename requests. .Pp +The chroot option provides additional security by restricting access +of tftpd to only a chroot'd file system. This is useful when moving +from an OS that supported +.Nm -s +as a boot server. Because chroot is restricted to root, you must run +tftpd as root. However, if you chroot, then +.Nm tftpd +will set its user id to nobody. +.Pp The options are: .Bl -tag -width Ds .It Fl l @@ -95,6 +105,11 @@ .It Fl n Suppresses negative acknowledgement of requests for nonexistent relative filenames. +.It Fl s Ar directory +Causes tftpd to chroot to +.Pa directory +before accepting commands. In addition, the user id is set to +nobody. .El .Sh SEE ALSO .Xr tftp 1 , Index: tftpd.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/libexec/tftpd/tftpd.c,v retrieving revision 1.2 diff -u -r1.2 tftpd.c --- tftpd.c 1995/02/26 23:28:00 1.2 +++ tftpd.c 1996/04/15 23:38:57 @@ -113,9 +113,10 @@ register int n; int ch, on; struct sockaddr_in sin; + char *chroot_dir = NULL; openlog("tftpd", LOG_PID, LOG_FTP); - while ((ch = getopt(argc, argv, "ln")) != EOF) { + while ((ch = getopt(argc, argv, "lns:")) != EOF) { switch (ch) { case 'l': logging = 1; @@ -123,10 +124,26 @@ case 'n': suppress_naks = 1; break; + case 's': + chroot_dir = optarg; + break; default: syslog(LOG_WARNING, "ignoring unknown option -%c", ch); } } + + if (chroot_dir) { + if (getuid()) + syslog(LOG_WARNING, "-s works only when run as root"); + else { + if (chroot(chroot_dir)) + syslog(LOG_ERR, "chroot: %s", + strerror(errno)); + chdir( "/" ); + setuid( 32767 ); /* Revert to running as nobody */ + } + } + if (optind < argc) { struct dirlist *dirp; @@ -139,6 +156,14 @@ dirp++; } } + } + /* Only allow no d */ + else if (chroot_dir) { + dirs->name = "/"; + dirs->len = 1; + } + else { + syslog(LOG_WARNING, "Access to theentire system graned"); } on = 1; >Audit-Trail: >Unformatted: