diff options
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/tftpd/tftpd.8 | 73 | ||||
-rw-r--r-- | libexec/tftpd/tftpd.c | 10 |
2 files changed, 55 insertions, 28 deletions
diff --git a/libexec/tftpd/tftpd.8 b/libexec/tftpd/tftpd.8 index 1309ac6976e1..2af0ee469582 100644 --- a/libexec/tftpd/tftpd.8 +++ b/libexec/tftpd/tftpd.8 @@ -41,16 +41,16 @@ Internet Trivial File Transfer Protocol server .Sh SYNOPSIS .Nm /usr/libexec/tftpd -.Op Fl l -.Op Fl n +.Op Fl ln .Op Fl s Ar directory +.Op Fl u Ar user .Op Ar directory ... .Sh DESCRIPTION .Nm Tftpd is a server which supports the Internet Trivial File Transfer -Protocol (\c -.Tn RFC 783). +Protocol +.Pq Tn RFC 1350 . The .Tn TFTP server operates @@ -90,25 +90,39 @@ names are prefixed by the one of the given directories. The given directories are also treated as a search path for relative filename requests. .Pp -The chroot option provides additional security by restricting access -of -.Nm -to only a chroot'd file system. This is useful when moving -from an OS that supported +The .Fl s -as a boot server. Because chroot is restricted to root, you must run +option provides additional security by changing +.Nm tftpd Ns No 's +root directory, thereby prohibiting accesses outside of the specified +.Ar directory . +Because +.Xr chroot 2 +requires super-user privileges, .Nm -as root. However, if you chroot, then +must be run as root. +However, after performing the +.Fn chroot , .Nm -will set its user id to nobody. +will set its user id to that of the specified +.Ar user , +or +.Dq nobody +if no +.Fl u +option is specified. .Pp The options are: .Bl -tag -width Ds .It Fl l Log all requests using .Xr syslog 3 -with the facility of LOG_FTP. Note: Logging of LOG_FTP messages -will also need to be enabled in the syslog configuration file +with the facility of +.Dv LOG_FTP . +Note: Logging of +.Dv LOG_FTP +messages +must also be enabled in the syslog configuration file, .Xr syslog.conf 5 . .It Fl n Suppress negative acknowledgement of requests for nonexistent @@ -116,23 +130,32 @@ relative filenames. .It Fl s Ar directory Cause .Nm -to chroot to -.Pa directory -before accepting commands. In addition, the user id is set to -nobody. -.Pp -If you are not running -.Fl s , -no user id change will be -attempted. You should not run +to change its root directory to +.Pa directory . +After changing roots but before accepting commands, .Nm -as root unless you are using -.Fl s . +will switch credentials to an unprivileged user. +.It Fl u Ar user +Switch credentials to +.Ar user +(default +.Dq nobody ) +when the +.Fl s +option is used. +The user must be specified by name, not a numeric UID. .El .Sh SEE ALSO .Xr tftp 1 , +.Xr chroot 2 , .Xr inetd 8 , .Xr syslogd 8 +.Rs +.%A K. R. Sollins +.%T The TFTP Protocol (Revision 2) +.%D July 1992 +.%O RFC 1350, STD 33 +.Re .Sh HISTORY The .Nm diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c index 07475a45e852..56c6c028b19c 100644 --- a/libexec/tftpd/tftpd.c +++ b/libexec/tftpd/tftpd.c @@ -121,9 +121,10 @@ main(argc, argv) struct sockaddr_in sin; char *chroot_dir = NULL; struct passwd *nobody; + char *chuser = "nobody"; openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_FTP); - while ((ch = getopt(argc, argv, "lns:")) != -1) { + while ((ch = getopt(argc, argv, "lns:u:")) != -1) { switch (ch) { case 'l': logging = 1; @@ -134,6 +135,9 @@ main(argc, argv) case 's': chroot_dir = optarg; break; + case 'u': + chuser = optarg; + break; default: syslog(LOG_WARNING, "ignoring unknown option -%c", ch); } @@ -226,8 +230,8 @@ main(argc, argv) */ if (chroot_dir) { /* Must get this before chroot because /etc might go away */ - if ((nobody = getpwnam("nobody")) == NULL) { - syslog(LOG_ERR, "nobody: no such user"); + if ((nobody = getpwnam(chuser)) == NULL) { + syslog(LOG_ERR, "%s: no such user", chuser); exit(1); } if (chroot(chroot_dir)) { |