tftpd invocation (GNU Inetutils)

27 `tftpd`: TFTP server

tftpd is intended to be invoked via inetd at all times.

Synopsis:

tftpd [options] [directory …]

-g group ¶
--group=group: Specify group membership of the process owner. This is used only along with the option -s, and replaces the group membership that comes from the process owner himself.
-l ¶
--logging: Enable logging.
-n ¶
--nonexistent: Supress negative acknowledgement of requests for nonexistent relative filenames.
-s dir ¶
--secure-dir=dir: Let the serving process change its root directory to dir before attending to any requests. This directory is not observable by any client, but improves server isolation, since servable contents must be located below this chrooted directory dir.
-u user ¶
--user=user: Specify the process owner for serving requests. Only relevant along with the option -s. The default name is ‘nobody’.

Directory prefixes
Use cases

27.1 Directory prefixes

In addition to options, an invocation of tftpd can specify an optional list of directory prefixes. These are approved of according to two principles:

Relative pathnames are ignored.
At most twenty prefixes are approved, the rest is discarded.

A request for a file is decided upon as a consequence of evaluating these criteria:

Every file request containing the substring ‘/../’ is denied, as is a file name beginning with ‘../’.
Write requests must specify absolute locations.
A file request, if specified as an absolute pathname, must begin with one of the approved directory prefixes, should at least one such prefix have been accepted.
In the absence of a prefix collection, any absolute pathname is accepted, should the corresponding file exist.
A file request, if specified as a relative name, will only be searched for below the acceptable prefixes, should at least one such prefix have been approved.
A request for a relatively named file, is denied in the absence of approved directory prefixes.
The resulting file must be world readable, or world writable, for a read request, or a write request, to succeed.

27.2 Use cases

The standard use case is an entry in /etc/inetd.conf like

tftp dgram udp4 wait root /usr/sbin/tftpd \
       tftpd /tftpboot /altboot

This would allow the TFTP client to use any of

get kernel
get /tftpboot/kernel
get kernel.alt
get /altboot/kernel.alt
get /etc/motd

given that /tftpboot/kernel and /altboot/kernel.alt exist. Observe that also /etc/motd is accessible, inspite there being no explicit mention of standard file locations.

A stronger mode of running a TFTP server is to use the ‘secure mode’, meaning that the serving process is running in a chrooted mode. Then a suitable configuration could be

tftp dgram udp4 wait root /usr/sbin/tftpd \
       tftpd --secure-dir=/srv/tftp-root  /tftpboot /altboot

Supposing the files kernel and kernel.alt to exist in the common directory /srv/tftp-root/altboot/, all the previously suggested client requests for a kernel would still be granted, but now any request for /etc/motd would be declined, and would get a reply ‘File not found’ back.

The chrooted setting is denying access outside of /srv/tftp-root, yet is not indicating this lock-in to the client, and is thus improving server isolation. Since neither of -u and -g were specified, the configuration reproduced above will in fact have the transmitting server process running with the default owner set to ‘nobody:nogroup’.

27 tftpd: TFTP server

27.1 Directory prefixes

27.2 Use cases

27 `tftpd`: TFTP server