Hi, There seem to be different concepts what permissions and owner /srv/tftpboot should have. Can we agree on something? :) found conflict of atftp-0.7.0-156.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 tftp:tftp, d755 root:root] found conflict of dnsmasq-2.65-5.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 root:tftp, d755 root:root] found conflict of kiwi-pxeboot-5.05.7-582.1.noarch with tftp-5.2-5.1.x86_64: - /srv/tftpboot [mode mismatch: d755 root:root, d750 root:tftp] Greetings, Stephan -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
El 10/04/13 14:57, Stephan Kulow escribió:
Hi,
There seem to be different concepts what permissions and owner /srv/tftpboot should have. Can we agree on something? :)
found conflict of atftp-0.7.0-156.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 tftp:tftp, d755 root:root] found conflict of dnsmasq-2.65-5.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 root:tftp, d755 root:root] found conflict of kiwi-pxeboot-5.05.7-582.1.noarch with tftp-5.2-5.1.x86_64: - /srv/tftpboot [mode mismatch: d755 root:root, d750 root:tftp]
Greetings, Stephan
root:root and we drop any capability or limit access via systemd units. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Wed, 10 Apr 2013 22:51, Cristian Rodríguez
El 10/04/13 14:57, Stephan Kulow escribió:
Hi,
There seem to be different concepts what permissions and owner /srv/tftpboot should have. Can we agree on something? :)
found conflict of atftp-0.7.0-156.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 tftp:tftp, d755 root:root] found conflict of dnsmasq-2.65-5.1.x86_64 with kiwi-pxeboot-5.05.7-582.1.noarch: - /srv/tftpboot [mode mismatch: d750 root:tftp, d755 root:root] found conflict of kiwi-pxeboot-5.05.7-582.1.noarch with tftp-5.2-5.1.x86_64: - /srv/tftpboot [mode mismatch: d755 root:root, d750 root:tftp]
Greetings, Stephan
root:root and we drop any capability or limit access via systemd units.
Well, either "d755 root:root": everybody on the machine can read the dir, or "d750 root:tftp": tftp can read, others not, that way closes some avenues of risks. IMHO, from the sec. aspect, "d750 root:tftp" should be prefered. - Yamaban
El 10/04/13 18:14, Yamaban escribió:
root:root and we drop any capability or limit access via systemd units.
Well, either "d755 root:root": everybody on the machine can read the dir, or "d750 root:tftp": tftp can read, others not, that way closes some avenues of risks.
IMHO, from the sec. aspect, "d750 root:tftp" should be prefered.
tftp is an insecure protocol and hence no secret or sensitive information should live in /srv/tftpboot and reading the directory contents should not be a problem. iI I want to look at the directory contents I can just tftp to localhost as the protocol does not have authentication at all. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Wed, Apr 10, 2013 at 5:23 PM, Cristian Rodríguez
El 10/04/13 18:14, Yamaban escribió:
root:root and we drop any capability or limit access via systemd units.
Well, either "d755 root:root": everybody on the machine can read the dir, or "d750 root:tftp": tftp can read, others not, that way closes some avenues of risks.
IMHO, from the sec. aspect, "d750 root:tftp" should be prefered.
tftp is an insecure protocol and hence no secret or sensitive information should live in /srv/tftpboot and reading the directory contents should not be a problem.
iI I want to look at the directory contents I can just tftp to localhost as the protocol does not have authentication at all.
Per Wiki: Trivial File Transfer Protocol (TFTP) is a simple protocol to transfer files. It has been implemented on top of the User Datagram Protocol (UDP) using port number 69. TFTP is designed to be small and easy to implement, and therefore it lacks most of the features of a regular FTP. TFTP only reads and writes files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication. Note: "It cannot list directories" If that is true, then "d755 root:root" is a security hole. That fits my experience that tftp clients have to know the path of what they want. No browsing allowed. Greg -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (4)
-
Cristian Rodríguez -
Greg Freemyer -
Stephan Kulow -
Yamaban