http://bugzilla.opensuse.org/show_bug.cgi?id=1013565
Bug ID: 1013565 Summary: atftp daemon runs as root Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: seroton10@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
A standard install of the atftpd package will run the daemon root, despite the clear intentions (sysconfig file, and options passed in service unit) to have it run as tftp.
This is problematic because it allows tftp clients to overwrite all files served by atftpd, and to upload new ones, completely disregarding permissions set on directories and files under /srv/tftpboot.
In my tests I let the service start via socket activation.
http://bugzilla.opensuse.org/show_bug.cgi?id=1013565 http://bugzilla.opensuse.org/show_bug.cgi?id=1013565#c2
--- Comment #2 from Olav Reinert seroton10@gmail.com --- Assuming you want to preserve the sysconfig file and adhering to what's defined in it, I think there is no choice but to patch it to call setuid()/setgid() for the non-daemon mode. Environment variable substitution is only possible in "ExecStart=..." and its siblings, so adding "User=$ATFTPD_USER" to the service unit won't work.
http://bugzilla.opensuse.org/show_bug.cgi?id=1013565 http://bugzilla.opensuse.org/show_bug.cgi?id=1013565#c7
Andreas Stieger astieger@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED CC| |astieger@suse.com Resolution|--- |FIXED
--- Comment #7 from Andreas Stieger astieger@suse.com --- releasing
http://bugzilla.opensuse.org/show_bug.cgi?id=1013565 http://bugzilla.opensuse.org/show_bug.cgi?id=1013565#c9
--- Comment #9 from OBSbugzilla Bot bwiedemann+obsbugzillabot@suse.com --- This is an autogenerated message for OBS integration: This bug (1013565) was mentioned in https://build.opensuse.org/request/show/902297 15.3 / atftp https://build.opensuse.org/request/show/902298 Backports:SLE-15-SP2 / atftp