Bug ID 1013565
Summary atftp daemon runs as root
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware x86-64
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter seroton10@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

A standard install of the atftpd package will run the daemon root, despite the
clear intentions (sysconfig file, and options passed in service unit) to have
it run as tftp.

This is problematic because it allows tftp clients to overwrite all files
served by atftpd, and to upload new ones, completely disregarding permissions
set on directories and files under /srv/tftpboot.

In my tests I let the service start via socket activation.

You are receiving this mail because: