tftpd: TFTP server
tftpd is intended to be invoked via
at all times.
tftpd [options] [directory …]
Specify group membership of the process owner. This is used only along with the option -s, and replaces the group membership that comes from the process owner himself.
Supress negative acknowledgement of requests for nonexistent relative filenames.
Let the serving process change its root directory to dir before attending to any requests. This directory is not observable by any client, but improves server isolation, since servable contents must be located below this chrooted directory dir.
Specify the process owner for serving requests. Only relevant along with the option -s. The default name is ‘nobody’.
In addition to options, an invocation of
specify an optional list of directory prefixes.
These are approved of according to two principles:
A request for a file is decided upon as a consequence of evaluating these criteria:
The standard use case is an entry in /etc/inetd.conf like
tftp dgram udp4 wait root /usr/sbin/tftpd \ tftpd /tftpboot /altboot
This would allow the TFTP client to use any of
get kernel get /tftpboot/kernel get kernel.alt get /altboot/kernel.alt get /etc/motd
given that /tftpboot/kernel and /altboot/kernel.alt exist. Observe that also /etc/motd is accessible, inspite there being no explicit mention of standard file locations.
A stronger mode of running a TFTP server is to use the ‘secure mode’, meaning that the serving process is running in a chrooted mode. Then a suitable configuration could be
tftp dgram udp4 wait root /usr/sbin/tftpd \ tftpd --secure-dir=/srv/tftp-root /tftpboot /altboot
Supposing the files kernel and kernel.alt to exist in the common directory /srv/tftp-root/altboot/, all the previously suggested client requests for a kernel would still be granted, but now any request for /etc/motd would be declined, and would get a reply ‘File not found’ back.
The chrooted setting is denying access outside of /srv/tftp-root, yet is not indicating this lock-in to the client, and is thus improving server isolation. Since neither of -u and -g were specified, the configuration reproduced above will in fact have the transmitting server process running with the default owner set to ‘nobody:nogroup’.