Need help with tftp problems

[ddebevec]

First off, I hope I’m in the correct forum. If not, please direct me to the correct one.

Can someone please help me to get my tftp issue straight? What started out as a seemingly simple installation and use of tftp is turning out to be a quite frustrating journey. I based my installation on another user’s experience as found on the internet. My first attempts yielded numerous “permission denied” messages. After countless searches and trying oh so many suggested configurations, I’m now dealing with the “cannot set groups for user nobody” messages. Can someone please help lead me out of this tftp nightmare that I seem to be having?

Background

I’m running fedora 14 32 bit and I’ve listed my configurations and messages below:

My latest /etc/xinetd.d/tftp member

service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = no
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /var/lib/tftpboot -u nobody
per_source = 11
cps = 100 2
flags = IPv4
}

My directory and file permissions and structure:

/var/lib/tfrtboot

drwxrwxrwx 2 nobody nobody 4096 Feb 5 22:39 tftpboot


[root@elisha lib]# cd tftpboot
[root@elisha tftpboot]# ll
total 7724
-rw-rwxrwx 1 root root 165108 Feb 5 22:39 ap61.ram
-rw-rwxrwx 1 root root 165656 Feb 5 22:39 ap61.rom
-rw-rwxrwx 1 root root 3784732 Feb 5 22:39 ar430w-firmware.bin
-rw-rwxrwx 1 root root 3784704 Feb 5 22:39 linux.bin

Output from process status:

[root@elisha /]# ps -ef | grep tftp
nobody 26980 26910 0 21:08 ? 00:00:00 in.tftpd -s /var/lib/tftpboot

Syslog output from execution:

Feb 13 21:08:17 elisha xinetd[26910]: START: tftp pid=26980 from=192.168.20.81
Feb 13 21:08:17 elisha in.tftpd[26981]: cannot set groups for user nobody
Feb 13 21:09:34 elisha in.tftpd[26986]: cannot set groups for user nobody
Feb 13 21:12:16 elisha in.tftpd[26993]: cannot set groups for user nobody
Feb 13 21:13:35 elisha xinetd[26910]: EXIT: tftp status=0 pid=26980 duration=1199(sec)

[jpollard]

Quite possibly you missed the point that tftpd should run as its own user and not as nobody.

Granted, nobody is better than root. BUT... nobody is given no permissions via SELinux... and I think that should be blocking it from working.

Try the defaults first - it already is supposed to be run as nobody, but the way it gets there may be different than that from the -u option which sets the privileges via /etc/shadow, and you don't want to muck with those as the nobody account gets used for a lot of other things too.

BTW, you also need to check the security labels on the files tftpboot is to provide. I don't think you want them writable at any time either.

[flyingfsck]

BTW, tftp has NO security. Therefore, it is coded to only allow downloads from a directory that is set to read only.

You probably don't need any of the other things you have done...

[bob]

moved to EOL (F14's now obsolete)

[ddebevec]

All,

Thank you for your responses. I’m not currently with my machine, so I’ll have to wait until tonight to try your suggestions. Also I have SELinux disabled, could that be causing my problems?

[flyingfsck]

SELinux disabled means it does nothing, so don't worry about it. Do read the tftp man page though. Your issues are very like discussed in there.

[stevea]

Quote:

Originally Posted by flyingfsck

BTW, tftp has NO security. Therefore, it is coded to only allow downloads from a directory that is set to read only.

You probably don't need any of the other things you have done...

That's not true. I just tested it.

You will want to kill any currently running daemon and resatart xinetd to effect and /etc/xinetd.d/tftp changes..

sudo pkill -1 in.tftpd
sudo service xinetd restart

Code:

service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = no
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /var/lib/tftpboot -u nobody
per_source = 11
cps = 100 2
flags = IPv4
}

The wait flag should be yes, and that may cause a problem, tho' not likely.

---

I suspect you have a messed up group assignment for nobody account.
grep "nobody:" /etc/{passwd,group}

should return lines like ....

Code:

/etc/passwd:nobody:x:99:99:Nobody:/:/sbin/nologin
/etc/group:nobody:x:99:

and maybe others.

If no group entry '99' (based on the /etc/passwd line) with nobody text as an entry - then create it using system-config-users as root.

Then kill the in.tftpd daemon and try again.

[ddebevec]

I tried your suggestions and now I'm see the message:

Feb 14 18:12:12 elisha xinetd[30244]: START: tftp pid=30248 from=192.168.20.81
Feb 14 18:12:12 elisha in.tftpd[30248]: /var/lib/tftpboot: Permission denied
Feb 14 18:12:12 elisha xinetd[30244]: EXIT: tftp status=66 pid=30248 duration=0(sec)

I removed the "-u nobody" from the "tftp" member, changed the file permissions to read. Changed the owner and group to "nobody" and the wait parameter to yes. I removed all options from the tftp member.

service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = /var/lib/tftpboot
per_source = 11
cps = 100 2
flags = IPv4
}

Is it getting better or worse?

[flyingfsck]

Howdy,

Do you get more useful error messages if you run it manually?
# /usr/sbin/in.tftpd -s /var/lib/tftpboot

[ddebevec]

When I execute the command basically the terminal session just goes into a do_wait state and the log displays the following:

Feb 14 20:01:25 elisha xinetd[30914]: START: tftp pid=30931 from=192.168.20.81
Feb 14 20:01:25 elisha in.tftpd[30931]: /var/lib/tftpboot: Permission denied
Feb 14 20:01:25 elisha xinetd[30914]: EXIT: tftp status=66 pid=30931 duration=0(sec)

I'm curious if the file owner, group and permission are correct. I've seen so many different iterations of these values not to mention the user parameter in the tftp member.

[jpollard]

Server args needs to be "-s /var/lib/tftpboot". This allows the boot process to refer to the files by base name, and not "/var/lib/tftpboot/<basename>".

It also prevents them from downloading password files...

Now as to why it does not have permission, how about reporting the output of the following sequence (sequence and expected results are shown):

Code:

$ ls -lZd /var
drwxr-xr-x. root root system_u:object_r:var_t:s0       /var
$ ls -lZd /var/lib
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   /var/lib
$ ls -lZd /var/lib/tftpboot
drwxr-xr-x. root root system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot
$

forgot one:

$ ls -lZ /var/lib/tftpboot

(mine is empty)

[ddebevec]

I will post this information this evening, after work. Again, thank you for your assistance in this matter.

[flyingfsck]

This is the problem: /var/lib/tftpboot: Permission denied

So change the tftp directory to something else and set the owner properly and make both the directory and the file that you want to access, read only.

[ddebevec]

Here's the output you requested. Looks like mine doesn't match yours. I'm guessing I should try to match yours.


[root@elisha ~]# ls -lZd /var
drwxr-xr-x. root root system_u:object_r:var_t:s0 /var

[root@elisha ~]# ls -lZd /var/lib
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 /var/lib

[root@elisha ~]# ls -lZd /var/lib/tftpboot
dr--r--r-- nobody nobody ? /var/lib/tftpboot

[root@elisha ~]# ls -lZ /var/lib/tftpboot
-r--r--r-- nobody nobody ? ap61.ram
-r--r--r-- nobody nobody ? ap61.rom
-r--r--r-- nobody nobody ? ar430w-firmware.bin
-r--r--r-- nobody nobody ? linux.bin
[root@elisha ~]#

[jpollard]

There it is.

I believe the directory /var/lib/tftpboot must have rx.

x allows the directory to be searched, and I believe that is what in.tftpd does when it starts.

The files in the directory are fine.