On Wed, Apr 10, 2013 at 5:23 PM, Cristian Rodríguez
El 10/04/13 18:14, Yamaban escribió:
root:root and we drop any capability or limit access via systemd units.
Well, either "d755 root:root": everybody on the machine can read the dir, or "d750 root:tftp": tftp can read, others not, that way closes some avenues of risks.
IMHO, from the sec. aspect, "d750 root:tftp" should be prefered.
tftp is an insecure protocol and hence no secret or sensitive information should live in /srv/tftpboot and reading the directory contents should not be a problem.
iI I want to look at the directory contents I can just tftp to localhost as the protocol does not have authentication at all.
Per Wiki: Trivial File Transfer Protocol (TFTP) is a simple protocol to transfer files. It has been implemented on top of the User Datagram Protocol (UDP) using port number 69. TFTP is designed to be small and easy to implement, and therefore it lacks most of the features of a regular FTP. TFTP only reads and writes files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication. Note: "It cannot list directories" If that is true, then "d755 root:root" is a security hole. That fits my experience that tftp clients have to know the path of what they want. No browsing allowed. Greg -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org