SECURITY HOLE in tftpd
Bill Shannon
shannon at sun.uucp
Thu Mar 8 09:36:55 AEST 1984
Subject: tftpd doesn't check file permissions properly
Index: etc/tftpd.c 4.2BSD
Description:
The tftp daemon runs as root and is only supposed to let you
access files with public read. However, it only checks the
file itself, not the path to the file.
Repeat-By:
chmod 700 /sys
tftp localhost
get /sys/sys/tty.c
Fix:
I fixed it by doing a setgid(-2), setuid(-2) before checking access
permissions. It's hard to check the entire path by hand because
of symbolic links; you really have to run as someone who will only
have public permission to the file. -2/-2 is not guaranteed to be
restrictive enough, but it was a quick fix. Perhaps a uid/gid should
be reserved for this purpose.
Sorry, no diff of the fix. Our tftpd has changed far too much for
other reasons for it to be useful.
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list