From owner-freebsd-questions Wed Oct 23 13:16:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2D5137B401 for ; Wed, 23 Oct 2002 13:16:29 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 311DF43E42 for ; Wed, 23 Oct 2002 13:16:29 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8872666C7B; Wed, 23 Oct 2002 13:16:28 -0700 (PDT) Date: Wed, 23 Oct 2002 13:16:28 -0700 From: Kris Kennaway To: Feng Li Cc: Kris Kennaway , freebsd-questions@FreeBSD.ORG Subject: Re: Is there any info about this type tftp daemon ? Message-ID: <20021023201628.GA21755@xor.obsecurity.org> References: <20021023112945.5E51.FENGLI@kddia.com> <20021023165650.GD15601@xor.obsecurity.org> <20021023141031.5E59.FENGLI@kddia.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <20021023141031.5E59.FENGLI@kddia.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 23, 2002 at 02:23:03PM -0400, Feng Li wrote: > 1)About the behvior for the tftp daemon on FreeBSD, I made a > sub directory under /usr/tftpboot, and change its mode to 777, > the I tried to send a file from one of our router, but I > got the following error message: Actually, reading the manpage confirms what you are seeing: The use of tftp(1) does not require an account or password on the remote system. Due to the lack of authentication information, tftpd will allow only publicly readable files to be accessed. Files containing the string ``/../'' or starting with ``../'' are not allowed. Files may be written only if they already exist and are publicly writable. Note that this extends the concept of ``public'' to include all users on all hosts that can be reached through the network; this may not be appropriate on all systems, and its implications should be considered before enabling tftp service. The server should have the user ID with the lowest possible privilege. I don't think there is a way to do what you want. Perhaps you can take a step back and tell us why you are trying to do this. > 2)About the security hole issue, if we use this TFTP server for in-house, > and configure it to accept the TFTP file from only specifed hosts, > could we minimum the risk ? This reduces the risk, yes. Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9twObWry0BWjoQKURAu1dAKDqBKihJUhunRJL1b543tF52eSsrgCgzaEn vmnY2ec7PqF67j891m4l3h4= =10Tu -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message