Bug 21268

<<On Thu, 14 Sep 2000 20:47:36 +0400 (MSD), "Aleksandr A. Babaylov" <babolo@links.ru> said:

> Change user to some another helps - you can have files for write
> by tftpd belongs to some specific user (psevdouser) and be not writable
> by everyone.

I agree with this patch (with a few changes in wording).  If it passes
muster with the security gods, I'd go for it.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

<<On Thu, 14 Sep 2000 21:16:56 +0400 (MSD), "Aleksandr A.Babaylov" <babolo@links.ru> said:

> Is it useful to reserve uid tftp?

No, I don't think so.  There are too many ``optional'' reserved UIDs
as it is, and many sites will have no need for this feature.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

Comment 3 Garrett Wollman 2000-09-14 18:22:30 UTC

State Changed
From-To: open->feedback

Waiting for feedback from SO as to any security implications which need to 
be addressed before committing. 

Comment 4 Garrett Wollman 2000-09-14 18:22:30 UTC

Responsible Changed
From-To: freebsd-bugs->security-officer

Experiment to see if this will work as a way to request security reviews.

In message <200009141724.KAA66988@freefall.freebsd.org> wollman@FreeBSD.org writes:
: Synopsis: user set no nobody is not good
: Experiment to see if this will work as a way to request security reviews.

Short answer:
	Looks Good.  Man page wording needs work.

Long Answer:
	This fix appears to have no security implications.  It doesn't
	change the default behavior and gives administrators of tftp
	servers additional flexibility.  There is a potential for
	abuse, but that abuse is easy to cure.  It exposes no new
	external user controllable parameters to the system, so
	doesn't introduce a new vector of attack.  Improperly setup
	systems may be impacted, but that's no worse than before.  A
	tftpd user might not be a bad idea, and maybe the man page
	should suggest this, but this level of need doesn't rise to
	the level of requiring it on all systems.

	The man page wording is awkward.  Sadly, I don't have a
	suggestion for a better wording.

Now, what the heck do I do?  Reassign it back to wollman so he can be
responsible for committing the changes?  Wait for others on the SO
team to look at this?  For now I'll do nothing.

Warner

Comment 6 Garrett Wollman 2000-09-14 19:04:40 UTC

Here is my current diff for the man page.

Index: tftpd.8
===================================================================
RCS file: /home/ncvs/src/libexec/tftpd/tftpd.8,v
retrieving revision 1.6
diff -u -r1.6 tftpd.8
--- tftpd.8	1999/08/28 23:08:19	1.6
+++ tftpd.8	2000/09/14 17:59:07
@@ -41,16 +41,16 @@
 Internet Trivial File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm /usr/libexec/tftpd
-.Op Fl l
-.Op Fl n
+.Op Fl ln
 .Op Fl s Ar directory
+.Op Fl u Ar user
 .Op Ar directory ...
 .Sh DESCRIPTION
 .Nm Tftpd
 is a server which supports the
 Internet Trivial File Transfer
-Protocol (\c
-.Tn RFC 783).
+Protocol
+.Pq Tn RFC 1350 .
 The
 .Tn TFTP
 server operates
@@ -90,25 +90,39 @@
 The given directories are also treated as a search path for 
 relative filename requests.
 .Pp
-The chroot option provides additional security by restricting access
-of
-.Nm
-to only a chroot'd file system.  This is useful when moving
-from an OS that supported
+The 
 .Fl s
-as a boot server.  Because chroot is restricted to root, you must run
-.Nm
-as root.  However, if you chroot, then
-.Nm
-will set its user id to nobody.
+option provides additional security by changing 
+.Nm tftpd Ns No 's
+root directory, thereby prohibiting accesses outside of the specified
+.Ar directory .
+Because
+.Xr chroot 2
+requires super-user privileges,
+.Nm
+must be run as root.
+However, after performing the
+.Fn chroot ,
+.Nm
+will set its user id to that of the specified
+.Ar user ,
+or
+.Dq nobody
+if no
+.Fl u
+option is specified.
 .Pp
 The options are:
 .Bl -tag -width Ds
 .It Fl l
 Log all requests using
 .Xr syslog 3 
-with the facility of LOG_FTP.  Note: Logging of LOG_FTP messages
-will also need to be enabled in the syslog configuration file 
+with the facility of 
+.Dv LOG_FTP .
+Note: Logging of
+.Dv LOG_FTP
+messages
+must also be enabled in the syslog configuration file,
 .Xr syslog.conf 5 .
 .It Fl n
 Suppress negative acknowledgement of requests for nonexistent
@@ -116,23 +130,32 @@
 .It Fl s Ar directory
 Cause
 .Nm
-to chroot to
-.Pa directory
-before accepting commands.  In addition, the user id is set to
-nobody.
-.Pp
-If you are not running
-.Fl s ,
-no user id change will be
-attempted.  You should not run
-.Nm
-as root unless you are using
-.Fl s .
+to change its root directory to
+.Pa directory .
+After changing roots but before accepting commands,
+.Nm
+will switch credentials to an unprivileged user.
+.It Fl u Ar user
+Switch credentials to
+.Ar user
+(default
+.Dq nobody )
+when the
+.Fl s
+option is used.
+The user must be specified by name, not a numeric UID.
 .El
 .Sh SEE ALSO
 .Xr tftp 1 ,
+.Xr chroot 2 ,
 .Xr inetd 8 ,
 .Xr syslogd 8
+.Rs
+.%A K. R. Sollins
+.%T The TFTP Protocol (Revision 2)
+.%D July 1992
+.%O RFC 1350, STD 33
+.Re
 .Sh HISTORY
 The
 .Nm

Comment 7 Garrett Wollman 2000-09-14 20:09:33 UTC

State Changed
From-To: feedback->suspended

Change accepted in rev. 1.16; awaiting MFC. 

Comment 8 Garrett Wollman 2000-09-14 20:09:33 UTC

Responsible Changed
From-To: security-officer->freebsd-bugs

Warner did the review.

Comment 9 dwmalone 2001-05-29 16:09:44 UTC

State Changed
From-To: suspended->closed

tftpd in -current and -stable are almost identical, so I think the 
merge has been done.