rang@cs.wisc.edu (Anton Rang) (06/07/90)
In article <3023@unisoft.UUCP> greywolf@unisoft.UUCP (The Grey Wolf) writes: >To what extent does one disable tftp (or did the original user mean >anonymous ftp)? At a minimum, you should restrict either which hosts can access tftp on a given machine, or which files tftp can access. The problem is that tftp, as distributed, lets anyone access any publicly-readable file, and lots of important files (like /etc/passwd) are publicly readable. (In other words, having tftp enabled allows dictionary attacks to be tried without needing an account on the remote machine.) This is my understanding of the matter, at least; feel free to correct any misapprehensions. Anton +---------------------------+------------------+-------------+ | Anton Rang (grad student) | rang@cs.wisc.edu | UW--Madison | +---------------------------+------------------+-------------+
loverso@Xylogics.COM (John Robert LoVerso) (06/07/90)
And don't be fooled by the fact that the TFTP protocol doesn't include a list-directory call. The BSD tftpd will allow [publically readable] directories to be read, and so a clever user tftp program could use this to implement an "ls"-style listing. This can give away the names of subdirectories you might have in your tftp-area (if you are running a "secure" tftpd that does a chroot), or let the people walk your whole filesystem, even if they don't know its layout before hand. A trivial change to tftpd would prevent the reading of all but plain files. John -- John Robert LoVerso Xylogics, Inc. 617/272-8140 x284 loverso@Xylogics.COM Annex Terminal Server Development Group
jms@tardis.Tymnet.COM (Joe Smith) (06/11/90)
In article <RANG.90Jun7082318@derby.cs.wisc.edu> rang@cs.wisc.edu (Anton Rang) writes: >In article <3023@unisoft.UUCP> greywolf@unisoft.UUCP (The Grey Wolf) writes: : At a minimum, you should restrict either which hosts can access tftp :on a given machine, or which files tftp can access. The problem is :that tftp, as distributed, lets anyone access any publicly-readable :file, and lots of important files (like /etc/passwd) are publicly :readable. (In other words, having tftp enabled allows dictionary :attacks to be tried without needing an account on the remote machine.) : This is my understanding of the matter, at least; feel free to :correct any misapprehensions. As distributed from Sun, tftp does NOT allow access to /etc/passwd. It does a chroot to /tftpboot first. This means that if you attempt to read /etc/passwd, the kernel translates it to /tftpboot/etc/passwd, which does not exist. The chroot call also means that ".." cannot be used to get out of set directory. See "man 2 chroot". -- Joe Smith (408)922-6220 | SMTP: jms@tardis.tymnet.com or jms@gemini.tymnet.com BT Tymnet Tech Services | UUCP: ...!{ames,pyramid}!oliveb!tymix!tardis!jms PO Box 49019, MS-C41 | BIX: smithjoe | 12 PDP-10s still running! "POPJ P," San Jose, CA 95161-9019 | humorous dislaimer: "My Amiga speaks for me."