Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Oct 2002 13:16:28 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Feng Li <fengli@kddia.com>
Cc:        Kris Kennaway <kris@obsecurity.org>, freebsd-questions@FreeBSD.ORG
Subject:   Re: Is there any info about this type tftp daemon ?
Message-ID:  <20021023201628.GA21755@xor.obsecurity.org>
In-Reply-To: <20021023141031.5E59.FENGLI@kddia.com>
References:  <20021023112945.5E51.FENGLI@kddia.com> <20021023165650.GD15601@xor.obsecurity.org> <20021023141031.5E59.FENGLI@kddia.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Wed, Oct 23, 2002 at 02:23:03PM -0400, Feng Li wrote:

> 1)About the behvior for the tftp daemon on FreeBSD, I made a
>   sub directory under /usr/tftpboot, and change its mode to 777,
>   the I tried to send a file from one of our router, but I
>   got the following error message:

Actually, reading the manpage confirms what you are seeing:

     The use of tftp(1) does not require an account or password on the remote
     system.  Due to the lack of authentication information, tftpd will allow
     only publicly readable files to be accessed.  Files containing the string
     ``/../'' or starting with ``../'' are not allowed.  Files may be written
     only if they already exist and are publicly writable.  Note that this
     extends the concept of ``public'' to include all users on all hosts that
     can be reached through the network; this may not be appropriate on all
     systems, and its implications should be considered before enabling tftp
     service.  The server should have the user ID with the lowest possible
     privilege.

I don't think there is a way to do what you want.  Perhaps you can
take a step back and tell us why you are trying to do this.

> 2)About the security hole issue, if we use this TFTP server for in-house,
>   and configure it to accept the TFTP file from only specifed hosts,
>   could we minimum the risk ?

This reduces the risk, yes.

Kris

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9twObWry0BWjoQKURAu1dAKDqBKihJUhunRJL1b543tF52eSsrgCgzaEn
vmnY2ec7PqF67j891m4l3h4=
=10Tu
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021023201628.GA21755>