1*4882a593SmuzhiyunPatch originally from Fedora 2*4882a593Smuzhiyun 3*4882a593Smuzhiyunhttp://pkgs.fedoraproject.org/cgit/tftp.git/ 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunUpstream-Status: Pending 6*4882a593Smuzhiyun 7*4882a593Smuzhiyundiff -up tftp-hpa-0.48/tftp-xinetd.tftpboot tftp-hpa-0.48/tftp-xinetd 8*4882a593Smuzhiyun--- tftp-hpa-0.48/tftp-xinetd.tftpboot 2007-01-31 00:51:05.000000000 +0100 9*4882a593Smuzhiyun+++ tftp-hpa-0.48/tftp-xinetd 2008-05-20 12:05:53.000000000 +0200 10*4882a593Smuzhiyun@@ -10,7 +10,7 @@ service tftp 11*4882a593Smuzhiyun wait = yes 12*4882a593Smuzhiyun user = root 13*4882a593Smuzhiyun server = /usr/sbin/in.tftpd 14*4882a593Smuzhiyun- server_args = -s /tftpboot 15*4882a593Smuzhiyun+ server_args = -s /var/lib/tftpboot 16*4882a593Smuzhiyun disable = yes 17*4882a593Smuzhiyun per_source = 11 18*4882a593Smuzhiyun cps = 100 2 19*4882a593Smuzhiyundiff -up tftp-hpa-0.48/README.security.tftpboot tftp-hpa-0.48/README.security 20*4882a593Smuzhiyun--- tftp-hpa-0.48/README.security.tftpboot 2008-05-29 17:36:32.000000000 +0200 21*4882a593Smuzhiyun+++ tftp-hpa-0.48/README.security 2008-05-29 17:37:21.000000000 +0200 22*4882a593Smuzhiyun@@ -17,10 +17,10 @@ probably the following: 23*4882a593Smuzhiyun 24*4882a593Smuzhiyun 1. Create a separate "tftpd" user and group only used for tftpd; 25*4882a593Smuzhiyun 2. Have all your boot files in a single directory tree (usually called 26*4882a593Smuzhiyun- /tftpboot). 27*4882a593Smuzhiyun-3. Specify "-p -u tftpd -s /tftpboot" on the tftpd command line; if 28*4882a593Smuzhiyun+ /var/lib/tftpboot). 29*4882a593Smuzhiyun+3. Specify "-p -u tftpd -s /var/lib/tftpboot" on the tftpd command line; if 30*4882a593Smuzhiyun you want clients to be able to create files use 31*4882a593Smuzhiyun- "-p -c -U 002 -u tftpd -s /tftpboot" (replace 002 with whatever 32*4882a593Smuzhiyun+ "-p -c -U 002 -u tftpd -s /var/lib/tftpboot" (replace 002 with whatever 33*4882a593Smuzhiyun umask is appropriate for your setup.) 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun ======================================= 36*4882a593Smuzhiyun@@ -40,12 +40,12 @@ directly. Thus, if your /etc/inetd.conf 37*4882a593Smuzhiyun line): 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun tftp dgram udp wait root /usr/sbin/tcpd 40*4882a593Smuzhiyun-/usr/sbin/in.tftpd -s /tftpboot -r blksize 41*4882a593Smuzhiyun+/usr/sbin/in.tftpd -s /var/lib/tftpboot -r blksize 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun ... it's better to change to ... 44*4882a593Smuzhiyun 45*4882a593Smuzhiyun tftp dgram udp wait root /usr/sbin/in.tftpd 46*4882a593Smuzhiyun-in.tftpd -s /tftpboot -r blksize 47*4882a593Smuzhiyun+in.tftpd -s /var/lib/tftpboot -r blksize 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun You should make sure that you are using "wait" option in tftpd; you 50*4882a593Smuzhiyun also need to have tftpd spawned as root in order for chroot (-s) to 51*4882a593Smuzhiyundiff -up tftp-hpa-0.48/tftpd/sample.rules.tftpboot tftp-hpa-0.48/tftpd/sample.rules 52*4882a593Smuzhiyun--- tftp-hpa-0.48/tftpd/sample.rules.tftpboot 2008-05-29 17:38:46.000000000 +0200 53*4882a593Smuzhiyun+++ tftp-hpa-0.48/tftpd/sample.rules 2008-05-29 17:38:05.000000000 +0200 54*4882a593Smuzhiyun@@ -30,5 +30,5 @@ rg \\ / # Convert backslashes to slash 55*4882a593Smuzhiyun rg \# @ # Convert hash marks to @ signs 56*4882a593Smuzhiyun rg /../ /..no../ # Convert /../ to /..no../ 57*4882a593Smuzhiyun e ^ok/ # These are always ok 58*4882a593Smuzhiyun-r ^[^/] /tftpboot/\0 # Convert non-absolute files 59*4882a593Smuzhiyun+r ^[^/] /var/lib/tftpboot/\0 # Convert non-absolute files 60*4882a593Smuzhiyun a \.pvt$ # Reject requests for private files 61