Manualshelf

HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
461462463464465466467468469470
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
t
tftpd(1M) tftpd(1M)
NAME
tftpd - trivial file transfer protocol server
SYNOPSIS
/usr/lbin/tftpd [-R retran-seconds][-T total-seconds][path ...]
DESCRIPTION
tftpd is a server that supports the Internet Trivial File Transfer Protocol (RFC783). The TFTP server
operates at the port indicated in the tftp service description (see services(4)). The server is normally
started by inetd using the /etc/inetd.conf file (see inetd(1M) and inetd.conf(4)).
The -R option specifies the per-packet retransmission timeout, in seconds. The default value is 5 seconds.
The -T option specifies the total retransmission timeout, in seconds. The default value is 25 seconds.
The path parameter has the following effects:
tftpd operates in either of two modes or their combination. The first mode requires a defined
home directory for the pseudo-user tftp, and looks for files relative to that path. The second mode
requires one or more paths be specified on the command line, and allows access only to files whose
paths match or begin with one of the command line specifications. The first mode is backward-
compatible with previous releases of HP-UX and supports somewhat tighter security. The second
mode is compatible with other vendors implementations of
tftpd and allows greater flexibility in
accessing files.
If no path is specified on the command line,
tftpd requires an entry in the
/etc/passwd data-
base (see passwd(4)) for an account (pseudo-user) named
tftp. The password field should be *, the
group membership should be
guest, and the login shell should be /usr/bin/false
. For exam-
ple (assuming the guest group ID is 101):
tftp:*:510:101:tftp server:/home/tftpdir:/usr/bin/false
tftpd
uses a call to chroot() to change its root directory to be the same as the home directory of
the pseudo-user tftp. This restricts access by tftp clients to only those files found below the
tftp home directory (see chroot(2)). Furthermore,
tftp clients can only read files in that directory
if they are readable by the pseudo-user
tftp, and tftp clients can only write files in that directory
if they exist and are writable by the pseudo-user tftp.
If any path is specified on the command line, tftpd does not require that a pseudo-user named
tftp exist in /etc/passwd. The specified paths control access to files by tftp
clients. Each
path is treated as being relative to
/ (not the tftp home directory), and can be either a directory or
a file. tftpd disallows a client access to any file that does not match entirely or in its initial com-
ponents one of the restriction paths. It also disallows access to any file path containing ‘‘
..’. How-
ever, an accessed file can be a symbolic link that points outside the set of restricted paths.
If any path is specified on the command line and the
tftp home directory is defined and is not /,
tftpd first looks for a file relative to (under) the home directory. If the file is not found there, then
tftpd looks for the file relative to / with path restrictions applied. Thus if two files with the same
name can be found in both locations, tftpd accesses the one under tftp’s home directory.
Note that inetd allows continuation of command lines in inetd.conf by ending continued lines with
a backlash.
Defining the tftp pseudo-user is strongly recommended even when paths are specified, because client
access is further restricted to files that can be read and/or written by this pseudo-user. It is safe to set the
tftp pseudo-user’s home directory to
/ in this case.
DIAGNOSTICS
The following diagnostics are logged to the
syslogd facility at the err log level (see syslogd(1M)).
No security mechanism exists
The pseudo-user tftp was not found in the password database (/etc/passwd ), and tftpd
was invoked without any path arguments.
Add or correct the entry for the pseudo-user tftp in the password database /etc/passwd .
Or, add an access list (path arguments) to the tftpd arguments in the inetd configuration file
/etc/inetd.conf. Reconfigure
inetd with the command inetd -c.
HP-UX Release 11i: December 2000 1 Section 1M965
___
___