Skip to main content

On Running tftpd (in.tftpd) as a Non-root User (DEPRECATED)

The preferred way of securing tftpd is to use the tftp SELinux targeted policy module. This post is now of historic interest only, I have SELinux enabled, using the targeted policy in enforcing mode. That is the right way of doing things.

On RHEL systems, tftpd is started from xinetd as a root user. The configuration is stored in /etc/xinetd.d/tftp. You may wish to run it as a different user for security purposes.  Let's assume that the tftpd user has been created, with login directory set accordingly to /tftpboot.

There are two ways you could try to set tftpd to run as non-root, and only one of them works. You may try to change the user entry in the xinetd configuration file. This will fail when in.tftpd tries to set its supplementary group to nobody, thus -- if you strace -- the following call fails:
[pid 16429] setgroups32(1, [99]) = -1 EPERM (Operation not permitted)

Instead, you should add the -u parameter to the tftpd's command line in its xinetd config file.
server_args = -s /tftpboot -u tftpd -v
where tftpd should be replaced with whatever username you chose for tftpd. That way in.tftpd changes its effective user upon startup.

If you don't want the files served by tftpd to be visible by unprivileged users from the local host (say, if tftpd serves to devices on an isolated, secure network), you should make the /tftpboot directory not world-readable (# chmod o-rwx /tftpboot). Do not change permissions on the files in that directory, though: in.tftpd insists that they be world-readable. This makes sense, since -- in a way -- they do become world-readable via in.tftpd, and the latter doesn't know what other restrictions there may be in place due to network architecture. The files should also be owned by root, that way you can control write access by granting it to others: in this case only the tftpd user will be able to access them anyway, do to permissions on the /tftpboot directory. Remember: tftpd offers no protections from unauthorized access. It is up to your firewall and network architecture to limit access as appropriate.

You can strace a running xinetd process and all its children like so:
# strace -p $(ps -o pid= -C xinetd) -fF

Comments

Popular posts from this blog

Both INCLUDEPATH and DEPENDPATH are usually needed in qmake .pro project files.

qmake, the build tool provided with the Qt toolkit, converts project files written in its own mini-language to platform-specific Makefiles.

This process includes adding necessary dependencies to the Makefile, so that changes in source files trigger rebuilding of the outputs that depend on said sources.

If your project is spread across directories, you'll likely add an INCLUDEPATH line to your .pro file so that the #include directives look sane -- say #include "library/foo.h" instead of #include "../library/foo.h". This can be done by adding INCLUDEPATH += "../" to the .pro project file.

This, by itself, doesn't cause the files in include directories to be treated as dependencies. This is a sane default, since you likely don't want to rebuild your whole project if a system library changes -- assuming, of course, that the library is meant to stay binary compatible between releases!

Thus, if any of your source files references a file from somewhe…

Asterisk 1.8 with SELinux on RHEL 6 / CentOS 6

Asterisk 1.8 is the current long term support (LTS) version of Asterisk. You can find it in the atrpms repository. Using atrpms requires a bit of ingenuity, since you must enable yum priorities. Here's how I've set up my yum priorities and excludes to play well with RHEL (lower priority is higher):

# /etc/yum/pluginconf.d/rhnplugin.conf
priority = 9

# files in /etc/yum/repos.d - current samba and subversion override those of RHEL
sernet-samba - 5
wandisco - 6
rhnplugin - 9
centos-base - 20, includepkgs=xfs* fftw-* glpk-* dell-firmware-repository - 30 dell-omsa-repository - 30 rpmforge-repo - 50, exclude=hdf5*
epel - 60, exclude=dahdi* atrpms - 70
I'm using a bunch of non-redhat packages, including Asterisk, recent subversion, octave, xfs tools, and Dell server management tools.

For Asterisk proper, I'm running an AGI caller id script, and a fax receiving script. The fax script uses cups to print. Those scripts require exceptions to the targeted SELinux policy. Note that the polic…

Details of Migrating Zimbra 6 to Zimbra 8

I have a small Zimbra system that needed to be migrated from 6.0 to 8.0. Generally:
You must update to 6.0.16 on the source system. The account export functionality is broken in versions prior to 6.0.15 and will fail on some accounts.Start with a fresh 8.0 install. On a small system (dozens of users), that seems like the simplest option.Keep the 6.0 system running. Use the migration wizard in 8.0's admin console (Tools & Migration -> Account Migration) to move over account records only.
Set "type of mail server" to Zimbra Collaboration Suite. Set "would you like to import mail" to No.Import from another Zimbra LDAP directory.Set the LDAP Search Base to "dc=foo,dc=com" where foo.com would be your domain. This saves work on manually moving accounts between systems.
To move account contents and filter settings between servers, you can do the following on the source server:
su - zimbra
ACCT=user@foo.com      # account to move
DEST=root@destination  # ss…