From owner-freebsd-questions Wed Oct 23 11:23:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A95337B401 for ; Wed, 23 Oct 2002 11:23:49 -0700 (PDT) Received: from nyvw02.kddia.com (ny.kdd.com [209.137.139.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 370E543E3B for ; Wed, 23 Oct 2002 11:23:48 -0700 (PDT) (envelope-from fengli@kddia.com) Received: from 192.168.11.1 by nyvw02.kddia.com (InterScan E-Mail VirusWall NT); Wed, 23 Oct 2002 14:24:24 -0400 Received: from nypc147 (375pc131.ny.kdd.com [192.168.18.131]) by ny.kdd.com (8.9.3/3.7W-0.1) with ESMTP id OAA67792; Wed, 23 Oct 2002 14:23:45 -0400 (EDT) Date: Wed, 23 Oct 2002 14:23:03 -0400 From: Feng Li To: Kris Kennaway Subject: Re: Is there any info about this type tftp daemon ? Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <20021023165650.GD15601@xor.obsecurity.org> References: <20021023112945.5E51.FENGLI@kddia.com> <20021023165650.GD15601@xor.obsecurity.org> Message-Id: <20021023141031.5E59.FENGLI@kddia.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dear Kris 1)About the behvior for the tftp daemon on FreeBSD, I made a sub directory under /usr/tftpboot, and change its mode to 777, the I tried to send a file from one of our router, but I got the following error message: telnet@serverIr10-05#copy run tftp 210.139.136.8 new/aaa telnet@serverIr10-05#TFTP: received error request -- code 1 message File not found Error - can't upload running-config to TFTP server. telnet@serverIr10-05# After I put an empty file aaa under directory new, and change its permission to 666, the same command was done OK. telnet@serverIr10-05#copy run tftp 209.137.136.8 new/aaa telnet@serverIr10-05#Upload running-config to TFTP server done. So I think the issue is not the write permission, the issue is that the TFTP daemon wants to check the same file name if exist or not. In another word, the target file should exist before you send the real file to TFTP server, the TFTP server seems like to do overwrite, but not like to create new files .... 2)About the security hole issue, if we use this TFTP server for in-house, and configure it to accept the TFTP file from only specifed hosts, could we minimum the risk ? Thanks, Feng > On Wed, Oct 23, 2002 at 11:32:51AM -0400, Feng Li wrote: > > > > > > Hi, Friends > > > > > > I am a FreeBSD OS user. I am using one FreeBSD box as > > my TFTP server. But with a inconventient problem: > > > > Everytime, before I send file to this server, I have > > to do the following process on this server: > > > > /usr/tftpboot# touch xxxx-config > > /usr/tftpboot# chmod 666 xxxx-config > > > > I hope to omit this process, so if anyone knows where I can get > > a TFTP daemon which can allow me to omit above inconvenience ? > > This indicates the tftpd daemon does not have write permission to > /usr/tftpboot. This is of course a potential security hole because > tftp does not authenticate, so you're giving everyone who can connect > to your tftpd the permission to write/overwrite files into that > directory. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message