From owner-freebsd-bugs Thu Sep 14 9:50:13 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BB65737B42C for ; Thu, 14 Sep 2000 09:50:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA57514; Thu, 14 Sep 2000 09:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by hub.freebsd.org (Postfix) with ESMTP id 6939137B424 for ; Thu, 14 Sep 2000 09:47:37 -0700 (PDT) Received: (from babolo@localhost) by aaz.links.ru (8.9.3/8.9.3) id UAA14159; Thu, 14 Sep 2000 20:47:36 +0400 (MSD) Message-Id: <200009141647.UAA14159@aaz.links.ru> Date: Thu, 14 Sep 2000 20:47:36 +0400 (MSD) From: "Aleksandr A. Babaylov" Reply-To: .@babolo.ru To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/21268: tftpd security improvement Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 21268 >Category: bin >Synopsis: user set no nobody is not good >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Sep 14 09:50:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Aleksandr A. Babaylov >Release: FreeBSD 4.1-STABLE i386 >Organization: home >Environment: FreeBSD with tftpd service configured in >Description: tftpd with -s flag always change user to nobody. So every file write by tftpd must be world writable (or worse - have user id nobody) Change user to some another helps - you can have files for write by tftpd belongs to some specific user (psevdouser) and be not writable by everyone. I understand, that such a configuration hide a fact that files to write by tftpd are world writable, if tftpd is not wrapped. But when access to tftpd restricted by for example only to your cisco router, and access to cisco router is restricted too then overall security of system will be higher if tftpd user set not to nobody. Another thing - size of file written by cisco router restricted by memory of router. Similar for read restrictions. >How-To-Repeat: See /usr/src/libexec/tftpd >Fix: --- libexec/tftpd/tftpd.c Sat Aug 28 04:10:26 1999 +++ libexec/tftpd/tftpd.c Tue Sep 12 21:34:52 2000 @@ -121,9 +121,10 @@ struct sockaddr_in sin; char *chroot_dir = NULL; struct passwd *nobody; + char *chuser = "nobody"; openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_FTP); - while ((ch = getopt(argc, argv, "lns:")) != -1) { + while ((ch = getopt(argc, argv, "lns:u:")) != -1) { switch (ch) { case 'l': logging = 1; @@ -134,6 +135,9 @@ case 's': chroot_dir = optarg; break; + case 'u': + chuser = optarg; + break; default: syslog(LOG_WARNING, "ignoring unknown option -%c", ch); } @@ -226,8 +230,8 @@ */ if (chroot_dir) { /* Must get this before chroot because /etc might go away */ - if ((nobody = getpwnam("nobody")) == NULL) { - syslog(LOG_ERR, "nobody: no such user"); + if ((nobody = getpwnam(chuser)) == NULL) { + syslog(LOG_ERR, "%s: no such user", chuser); exit(1); } if (chroot(chroot_dir)) { --- tftpd.8 Sun Aug 29 03:08:19 1999 +++ tftpd.8 Thu Sep 14 19:54:52 2000 @@ -44,6 +44,7 @@ .Op Fl l .Op Fl n .Op Fl s Ar directory +.Op Fl u Ar user .Op Ar directory ... .Sh DESCRIPTION .Nm Tftpd @@ -100,7 +101,9 @@ .Nm as root. However, if you chroot, then .Nm -will set its user id to nobody. +will set its user id to nobody or +.Fl u +argument. .Pp The options are: .Bl -tag -width Ds @@ -119,7 +122,12 @@ to chroot to .Pa directory before accepting commands. In addition, the user id is set to -nobody. +nobody or argument of +.Fl u . +.It Fl u Ar user +User name instead of nobody if +.Fl s +used. .Pp If you are not running .Fl s , >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message