Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxn!ihnp4!qantel!lll-lcc!lll-crg!seismo!brl-sem!brl-smoke!smoke!PEREIRA@sri-stinson.arpa
From: PEREIRA@sri-stinson.arpa (Fernando Pereira)
Newsgroups: net.unix-wizards
Subject: Plugging Sun OS 3.0 TFTP security hole
Message-ID: <300@brl-smoke.ARPA>
Date: Sat, 26-Apr-86 01:30:01 EDT
Article-I.D.: brl-smok.300
Posted: Sat Apr 26 01:30:01 1986
Date-Received: Fri, 2-May-86 08:27:02 EDT
Sender: news@brl-smoke.ARPA
Lines: 27

John Gilmore has just pointed out the security hole in SunOS 3.0 opened by
enabling TFTP service on servers as required by the new boot mechanism for
diskless clients.  For those who haven't read that, the problem is that
in.tftpd will get any of the publicly accessible files on the machine where
it runs, eg. the password file, making life easier for crackers.  Anyway,
following his suggestion I prepared the following quick fix for servers:

	1. Create a new directory /tftp
	2. Copy into it all files and directories that are to be accessible
	   by tftp. This will usually be the directory tftpboot and its
	   contents.
	3. Copy also to /tftp the server in.tftpd from /usr/etc.
	4. Replace /usr/etc/in.tftpd by the following program

	main(argc, argv, envp)
	int argc;
	char *argv[], *envp[];
	{
	    if (chroot("/tftp") < 0) exit(1);
	    argv[0] = "in.tftpd";
	    if (execve("/in.tftpd", argv, envp) < 0) exit(1);
	}

Voila'! A TFTP server that only sees what you want.

-- Fernando Pereira
-------