|
 |
6ed84f |
diff -up tftp-hpa-0.48/tftp-xinetd.tftpboot tftp-hpa-0.48/tftp-xinetd
|
|
|
6ed84f |
--- tftp-hpa-0.48/tftp-xinetd.tftpboot 2007-01-31 00:51:05.000000000 +0100
|
|
|
6ed84f |
+++ tftp-hpa-0.48/tftp-xinetd 2008-05-20 12:05:53.000000000 +0200
|
|
|
6ed84f |
@@ -10,7 +10,7 @@ service tftp
|
|
|
6ed84f |
wait = yes
|
|
|
6ed84f |
user = root
|
|
|
6ed84f |
server = /usr/sbin/in.tftpd
|
|
|
6ed84f |
- server_args = -s /tftpboot
|
|
|
6ed84f |
+ server_args = -s /var/lib/tftpboot
|
|
|
6ed84f |
disable = yes
|
|
|
6ed84f |
per_source = 11
|
|
|
6ed84f |
cps = 100 2
|
|
|
6ed84f |
diff -up tftp-hpa-0.48/README.security.tftpboot tftp-hpa-0.48/README.security
|
|
|
6ed84f |
--- tftp-hpa-0.48/README.security.tftpboot 2008-05-29 17:36:32.000000000 +0200
|
|
|
6ed84f |
+++ tftp-hpa-0.48/README.security 2008-05-29 17:37:21.000000000 +0200
|
|
|
6ed84f |
@@ -17,10 +17,10 @@ probably the following:
|
|
|
6ed84f |
|
|
|
6ed84f |
1. Create a separate "tftpd" user and group only used for tftpd;
|
|
|
6ed84f |
2. Have all your boot files in a single directory tree (usually called
|
|
|
6ed84f |
- /tftpboot).
|
|
|
6ed84f |
-3. Specify "-p -u tftpd -s /tftpboot" on the tftpd command line; if
|
|
|
6ed84f |
+ /var/lib/tftpboot).
|
|
|
6ed84f |
+3. Specify "-p -u tftpd -s /var/lib/tftpboot" on the tftpd command line; if
|
|
|
6ed84f |
you want clients to be able to create files use
|
|
|
6ed84f |
- "-p -c -U 002 -u tftpd -s /tftpboot" (replace 002 with whatever
|
|
|
6ed84f |
+ "-p -c -U 002 -u tftpd -s /var/lib/tftpboot" (replace 002 with whatever
|
|
|
6ed84f |
umask is appropriate for your setup.)
|
|
|
6ed84f |
|
|
|
6ed84f |
=======================================
|
|
|
6ed84f |
@@ -40,12 +40,12 @@ directly. Thus, if your /etc/inetd.conf
|
|
|
6ed84f |
line):
|
|
|
6ed84f |
|
|
|
6ed84f |
tftp dgram udp wait root /usr/sbin/tcpd
|
|
|
6ed84f |
-/usr/sbin/in.tftpd -s /tftpboot -r blksize
|
|
|
6ed84f |
+/usr/sbin/in.tftpd -s /var/lib/tftpboot -r blksize
|
|
|
6ed84f |
|
|
|
6ed84f |
... it's better to change to ...
|
|
|
6ed84f |
|
|
|
6ed84f |
tftp dgram udp wait root /usr/sbin/in.tftpd
|
|
|
6ed84f |
-in.tftpd -s /tftpboot -r blksize
|
|
|
6ed84f |
+in.tftpd -s /var/lib/tftpboot -r blksize
|
|
|
6ed84f |
|
|
|
6ed84f |
You should make sure that you are using "wait" option in tftpd; you
|
|
|
6ed84f |
also need to have tftpd spawned as root in order for chroot (-s) to
|
|
|
6ed84f |
diff -up tftp-hpa-0.48/tftpd/sample.rules.tftpboot tftp-hpa-0.48/tftpd/sample.rules
|
|
|
6ed84f |
--- tftp-hpa-0.48/tftpd/sample.rules.tftpboot 2008-05-29 17:38:46.000000000 +0200
|
|
|
6ed84f |
+++ tftp-hpa-0.48/tftpd/sample.rules 2008-05-29 17:38:05.000000000 +0200
|
|
|
6ed84f |
@@ -30,5 +30,5 @@ rg \\ / # Convert backslashes to slash
|
|
|
6ed84f |
rg \# @ # Convert hash marks to @ signs
|
|
|
6ed84f |
rg /../ /..no../ # Convert /../ to /..no../
|
|
|
6ed84f |
e ^ok/ # These are always ok
|
|
|
6ed84f |
-r ^[^/] /tftpboot/\0 # Convert non-absolute files
|
|
|
6ed84f |
+r ^[^/] /var/lib/tftpboot/\0 # Convert non-absolute files
|
|
|
6ed84f |
a \.pvt$ # Reject requests for private files
|