Bug 1013565 - atftp daemon runs as root
atftp daemon runs as root
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.2
x86-64 Other
: P5 - None : Major (vote)
: ---
Assigned To: Vítězslav Čížek
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2016-12-04 10:50 UTC by Olav Reinert
Modified: 2021-06-25 08:50 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

drop privileges in non-daemon mode (2.86 KB, patch)
2016-12-06 14:51 UTC, Vítězslav Čížek
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olav Reinert 2016-12-04 10:50:24 UTC
A standard install of the atftpd package will run the daemon root, despite the clear intentions (sysconfig file, and options passed in service unit) to have it run as tftp.

This is problematic because it allows tftp clients to overwrite all files served by atftpd, and to upload new ones, completely disregarding permissions set on directories and files under /srv/tftpboot.

In my tests I let the service start via socket activation.
Comment 1 Vítězslav Čížek 2016-12-05 16:33:36 UTC
Good catch.
atftpd doesn't honor the --user/--group options when run from inetd/systemd.
We should either add calls to setuid()/setgid() to the non-daemon mode or add User=/Group= directives to the atftpd.service.
Comment 2 Olav Reinert 2016-12-06 07:31:17 UTC
Assuming you want to preserve the sysconfig file and adhering to what's defined in it, I think there is no choice but to patch it to call setuid()/setgid() for the non-daemon mode. Environment variable substitution is only possible in "ExecStart=..." and its siblings, so adding "User=$ATFTPD_USER" to the service unit won't work.
Comment 3 Vítězslav Čížek 2016-12-06 11:51:48 UTC
I see. Using systemd generators to create the service/socket file is another option. But systemd people don't like the idea of people adding many new generators.

Let's prepare the setuid/setgid patch.
Comment 5 Vítězslav Čížek 2016-12-06 14:51:18 UTC
Created attachment 705094 [details]
drop privileges in non-daemon mode
Comment 6 Bernhard Wiedemann 2016-12-06 15:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (1013565) was mentioned in
https://build.opensuse.org/request/show/444292 13.2+42.1+42.2 / atftp
Comment 7 Andreas Stieger 2016-12-13 20:33:22 UTC
Comment 8 Swamp Workflow Management 2016-12-14 00:16:57 UTC
openSUSE-RU-2016:3130-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1013565
CVE References: 
Sources used:
openSUSE Leap 42.2 (src):    atftp-0.7.0-171.1
openSUSE Leap 42.1 (src):    atftp-0.7.0-170.1
openSUSE 13.2 (src):    atftp-0.7.0-160.11.1
Comment 9 OBSbugzilla Bot 2021-06-25 08:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1013565) was mentioned in
https://build.opensuse.org/request/show/902297 15.3 / atftp
https://build.opensuse.org/request/show/902298 Backports:SLE-15-SP2 / atftp