allowing in.tftpd to read/write files?
Per Sjoholm
Per.t.Sjoholm at flysta.net
Fri Oct 19 21:27:28 UTC 2007
tftp is used both for booting network devices like switches, routers,
ADSL modem etc....
And also to let them save a configuration file or a log file.
Often there are no alternatives for these devices.
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck Anderson wrote:
>
>> How do I allow tftpd to write files? I changed the context to
>> "system_u:object_r:public_content_rw_t:s0" but that doesn't work.
>> Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem
>> to be any file_contexts set up for /var/tftp. I manually set the
>> context to match that of /tftpboot:
>>
>> drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot//
>> drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/
>>
>> -rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
>>
>> type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for
>> pid=15860 comm="in.tftpd" name="testfile" dev=dm-4
>> ino=84549655 scontext=user_u:system_r:tftpd_t:s0
>> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
>> type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5
>> success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0
>> ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99
>> egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd"
>> exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
>>
>> Thanks.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> I did not even know you could updload with tftp.
>
> Is this common? I would think this is dangerous and insecure, but with
> SELinux you could make it a little more secure.
>
> tftp can only read public_content policy
>
> So we have three options.
>
> 1 Use audit2allow to generate policy to allow tftp to write to the
> files/directory you want.
>
> 2. convince me or upstream that tftp should be able to write to
> public_content_rw_t.
>
> BTW, I was at WPI this past Tuesday at the Robot Symposium. It was
> quite good.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n
> 4NPy8tcl5A5ztiCOJIKAP5E=
> =8i2h
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list