Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2000 20:47:36 +0400 (MSD)
From:      "Aleksandr A. Babaylov" <babolo@links.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/21268: tftpd security improvement
Message-ID:  <200009141647.UAA14159@aaz.links.ru>

next in thread | raw e-mail | index | archive | help

>Number:         21268
>Category:       bin
>Synopsis:       user set no nobody is not good
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 14 09:50:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Aleksandr A. Babaylov
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
home
>Environment:

FreeBSD with tftpd service configured in

>Description:
tftpd with -s flag always change user to nobody.
So every file write by tftpd must be world writable
(or worse - have user id nobody)
Change user to some another helps - you can have files for write
by tftpd belongs to some specific user (psevdouser) and be not writable
by everyone.
I understand, that such a configuration hide a fact that files
to write by tftpd are world writable, if tftpd is not wrapped.
But when access to tftpd restricted by for example only to
your cisco router, and access to cisco router is restricted too
then overall security of system will be higher if tftpd user set
not to nobody.
Another thing - size of file written by cisco router restricted
by memory of router.
Similar for read restrictions.


>How-To-Repeat:

See /usr/src/libexec/tftpd

>Fix:

--- libexec/tftpd/tftpd.c	Sat Aug 28 04:10:26 1999
+++ libexec/tftpd/tftpd.c	Tue Sep 12 21:34:52 2000
@@ -121,9 +121,10 @@
 	struct sockaddr_in sin;
 	char *chroot_dir = NULL;
 	struct passwd *nobody;
+	char *chuser = "nobody";
 
 	openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
-	while ((ch = getopt(argc, argv, "lns:")) != -1) {
+	while ((ch = getopt(argc, argv, "lns:u:")) != -1) {
 		switch (ch) {
 		case 'l':
 			logging = 1;
@@ -134,6 +135,9 @@
 		case 's':
 			chroot_dir = optarg;
 			break;
+		case 'u':
+			chuser = optarg;
+			break;
 		default:
 			syslog(LOG_WARNING, "ignoring unknown option -%c", ch);
 		}
@@ -226,8 +230,8 @@
 	 */
 	if (chroot_dir) {
 		/* Must get this before chroot because /etc might go away */
-		if ((nobody = getpwnam("nobody")) == NULL) {
-			syslog(LOG_ERR, "nobody: no such user");
+		if ((nobody = getpwnam(chuser)) == NULL) {
+			syslog(LOG_ERR, "%s: no such user", chuser);
 			exit(1);
 		}
 		if (chroot(chroot_dir)) {
--- tftpd.8	Sun Aug 29 03:08:19 1999
+++ tftpd.8	Thu Sep 14 19:54:52 2000
@@ -44,6 +44,7 @@
 .Op Fl l
 .Op Fl n
 .Op Fl s Ar directory
+.Op Fl u Ar user
 .Op Ar directory ...
 .Sh DESCRIPTION
 .Nm Tftpd
@@ -100,7 +101,9 @@
 .Nm
 as root.  However, if you chroot, then
 .Nm
-will set its user id to nobody.
+will set its user id to nobody or
+.Fl u
+argument.
 .Pp
 The options are:
 .Bl -tag -width Ds
@@ -119,7 +122,12 @@
 to chroot to
 .Pa directory
 before accepting commands.  In addition, the user id is set to
-nobody.
+nobody or argument of
+.Fl u .
+.It Fl u Ar user
+User name instead of nobody if
+.Fl s
+used.
 .Pp
 If you are not running
 .Fl s ,

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009141647.UAA14159>