http://bugzilla.opensuse.org/show_bug.cgi?id=1013565 Bug ID: 1013565 Summary: atftp daemon runs as root Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: seroton10@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- A standard install of the atftpd package will run the daemon root, despite the clear intentions (sysconfig file, and options passed in service unit) to have it run as tftp. This is problematic because it allows tftp clients to overwrite all files served by atftpd, and to upload new ones, completely disregarding permissions set on directories and files under /srv/tftpboot. In my tests I let the service start via socket activation. -- You are receiving this mail because: You are on the CC list for the bug.