New subject: [Bug 1013565] atftp daemon runs as root

4 Dec 2016


      http://bugzilla.opensuse.org/show_bug.cgi?id=1013565
Bug ID: 1013565
           Summary: atftp daemon runs as root
    Classification: openSUSE
           Product: openSUSE Distribution
           Version: Leap 42.2
          Hardware: x86-64
                OS: Other
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: Security
          Assignee: security-team@suse.de
          Reporter: seroton10@gmail.com
        QA Contact: qa-bugs@suse.de
          Found By: ---
           Blocker: ---
A standard install of the atftpd package will run the daemon root, despite the
clear intentions (sysconfig file, and options passed in service unit) to have
it run as tftp.
This is problematic because it allows tftp clients to overwrite all files
served by atftpd, and to upload new ones, completely disregarding permissions
set on directories and files under /srv/tftpboot.
In my tests I let the service start via socket activation.
-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1013565] New: atftp daemon runs as root