[4202] in bugtraq
Re: [linux-security] Re: tftpd bug (was: "Secure" tftpd source
daemon@ATHENA.MIT.EDU (Warner Losh)
Mon Mar 24 17:11:44 1997
Date: Mon, 24 Mar 1997 14:06:19 -0700
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: Alex Belits <abelits@phobos.illtel.denver.co.us>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 24 Mar 1997 02:40:42 CST."
<Pine.SUN.3.94.970324024042.15592A@dfw.dfw.net>
In message <Pine.SUN.3.94.970324024042.15592A@dfw.dfw.net> Aleph One writes:
: tftpd in FreeBSD distribution uses chroot() and sets its uid to nobody.
: I don't think, it does anything reasonable with groups.
FreeBSD's inherits the groups from the calling process, which is
inetd. I don't know if this is reasonable or not, but I think that it
means that the group will be daemon. tftpd doesn't do anything with
groups.
tftpd only does the chroot if you give it the -s flag.
: FreeBSD tftpd compiles with command line:
:
: gcc -O -DLOG_FTP=LOG_DAEMON -o tftpd tftpd.c tftpsubs.c
:
: and works fine if -ls /tftpboot is added as options to its command line.
: Otherwise it only checks file permissions without even trying to become
: "nobody" and thus opens hole for non-executable directories (even if
: directory is non-executable for anyone but root, files in it will be
: accessible). Also it's necessary to hardlink /dev/log under chroot
: directory to keep logging functional.
The openlog happens before any chroot code, so that you don't need a
/dev/log in your chrooted env. When you don't run tftpd in secure
mode, it is supposed to be run as nobody by indetd. The default
inetd.conf file that ships with FreeBSD is setup this way. I don't
think that the files will be accessible in this case. What am I
missing here?
Warner
