Plugging Sun OS 3.0 TFTP security hole
Fernando Pereira
PEREIRA at sri-stinson.arpa
Sat Apr 26 15:30:01 AEST 1986
John Gilmore has just pointed out the security hole in SunOS 3.0 opened by
enabling TFTP service on servers as required by the new boot mechanism for
diskless clients. For those who haven't read that, the problem is that
in.tftpd will get any of the publicly accessible files on the machine where
it runs, eg. the password file, making life easier for crackers. Anyway,
following his suggestion I prepared the following quick fix for servers:
1. Create a new directory /tftp
2. Copy into it all files and directories that are to be accessible
by tftp. This will usually be the directory tftpboot and its
contents.
3. Copy also to /tftp the server in.tftpd from /usr/etc.
4. Replace /usr/etc/in.tftpd by the following program
main(argc, argv, envp)
int argc;
char *argv[], *envp[];
{
if (chroot("/tftp") < 0) exit(1);
argv[0] = "in.tftpd";
if (execve("/in.tftpd", argv, envp) < 0) exit(1);
}
Voila'! A TFTP server that only sees what you want.
-- Fernando Pereira
-------
More information about the Comp.unix.wizards
mailing list