From babolo@links.ru  Thu Sep 14 09:47:38 2000
Return-Path: <babolo@links.ru>
Received: from aaz.links.ru (aaz.links.ru [193.125.152.37])
	by hub.freebsd.org (Postfix) with ESMTP id 6939137B424
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Sep 2000 09:47:37 -0700 (PDT)
Received: (from babolo@localhost)
	by aaz.links.ru (8.9.3/8.9.3) id UAA14159;
	Thu, 14 Sep 2000 20:47:36 +0400 (MSD)
Message-Id: <200009141647.UAA14159@aaz.links.ru>
Date: Thu, 14 Sep 2000 20:47:36 +0400 (MSD)
From: "Aleksandr A. Babaylov" <babolo@links.ru>
Reply-To: .@babolo.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: tftpd security improvement
X-Send-Pr-Version: 3.2

>Number:         21268
>Category:       bin
>Synopsis:       [MFC] user set no nobody is not good
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 14 09:50:01 PDT 2000
>Closed-Date:    Tue May 29 08:09:44 PDT 2001
>Last-Modified:  Tue May 29 08:10:35 PDT 2001
>Originator:     Aleksandr A. Babaylov
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
home
>Environment:

FreeBSD with tftpd service configured in

>Description:
tftpd with -s flag always change user to nobody.
So every file write by tftpd must be world writable
(or worse - have user id nobody)
Change user to some another helps - you can have files for write
by tftpd belongs to some specific user (psevdouser) and be not writable
by everyone.
I understand, that such a configuration hide a fact that files
to write by tftpd are world writable, if tftpd is not wrapped.
But when access to tftpd restricted by for example only to
your cisco router, and access to cisco router is restricted too
then overall security of system will be higher if tftpd user set
not to nobody.
Another thing - size of file written by cisco router restricted
by memory of router.
Similar for read restrictions.


>How-To-Repeat:

See /usr/src/libexec/tftpd

>Fix:

--- libexec/tftpd/tftpd.c	Sat Aug 28 04:10:26 1999
+++ libexec/tftpd/tftpd.c	Tue Sep 12 21:34:52 2000
@@ -121,9 +121,10 @@
 	struct sockaddr_in sin;
 	char *chroot_dir = NULL;
 	struct passwd *nobody;
+	char *chuser = "nobody";
 
 	openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
-	while ((ch = getopt(argc, argv, "lns:")) != -1) {
+	while ((ch = getopt(argc, argv, "lns:u:")) != -1) {
 		switch (ch) {
 		case 'l':
 			logging = 1;
@@ -134,6 +135,9 @@
 		case 's':
 			chroot_dir = optarg;
 			break;
+		case 'u':
+			chuser = optarg;
+			break;
 		default:
 			syslog(LOG_WARNING, "ignoring unknown option -%c", ch);
 		}
@@ -226,8 +230,8 @@
 	 */
 	if (chroot_dir) {
 		/* Must get this before chroot because /etc might go away */
-		if ((nobody = getpwnam("nobody")) == NULL) {
-			syslog(LOG_ERR, "nobody: no such user");
+		if ((nobody = getpwnam(chuser)) == NULL) {
+			syslog(LOG_ERR, "%s: no such user", chuser);
 			exit(1);
 		}
 		if (chroot(chroot_dir)) {
--- tftpd.8	Sun Aug 29 03:08:19 1999
+++ tftpd.8	Thu Sep 14 19:54:52 2000
@@ -44,6 +44,7 @@
 .Op Fl l
 .Op Fl n
 .Op Fl s Ar directory
+.Op Fl u Ar user
 .Op Ar directory ...
 .Sh DESCRIPTION
 .Nm Tftpd
@@ -100,7 +101,9 @@
 .Nm
 as root.  However, if you chroot, then
 .Nm
-will set its user id to nobody.
+will set its user id to nobody or
+.Fl u
+argument.
 .Pp
 The options are:
 .Bl -tag -width Ds
@@ -119,7 +122,12 @@
 to chroot to
 .Pa directory
 before accepting commands.  In addition, the user id is set to
-nobody.
+nobody or argument of
+.Fl u .
+.It Fl u Ar user
+User name instead of nobody if
+.Fl s
+used.
 .Pp
 If you are not running
 .Fl s ,

>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: babolo@links.ru
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: bin/21268: tftpd security improvement
Date: Thu, 14 Sep 2000 13:05:00 -0400 (EDT)

 <<On Thu, 14 Sep 2000 20:47:36 +0400 (MSD), "Aleksandr A. Babaylov" <babolo@links.ru> said:
 
 > Change user to some another helps - you can have files for write
 > by tftpd belongs to some specific user (psevdouser) and be not writable
 > by everyone.
 
 I agree with this patch (with a few changes in wording).  If it passes
 muster with the security gods, I'd go for it.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
 

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: "Aleksandr A.Babaylov" <babolo@links.ru>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/21268: tftpd security improvement
Date: Thu, 14 Sep 2000 13:19:44 -0400 (EDT)

 <<On Thu, 14 Sep 2000 21:16:56 +0400 (MSD), "Aleksandr A.Babaylov" <babolo@links.ru> said:
 
 > Is it useful to reserve uid tftp?
 
 No, I don't think so.  There are too many ``optional'' reserved UIDs
 as it is, and many sites will have no need for this feature.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
 
State-Changed-From-To: open->feedback 
State-Changed-By: wollman 
State-Changed-When: Thu Sep 14 10:22:30 PDT 2000 
State-Changed-Why:  
Waiting for feedback from SO as to any security implications which need to 
be addressed before committing. 


Responsible-Changed-From-To: freebsd-bugs->security-officer 
Responsible-Changed-By: wollman 
Responsible-Changed-When: Thu Sep 14 10:22:30 PDT 2000 
Responsible-Changed-Why:  
Experiment to see if this will work as a way to request security reviews. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21268 

From: <wollman@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/21268
Date: Thu, 14 Sep 2000 11:04:40 -0700 (PDT)

 Here is my current diff for the man page.
 
 Index: tftpd.8
 ===================================================================
 RCS file: /home/ncvs/src/libexec/tftpd/tftpd.8,v
 retrieving revision 1.6
 diff -u -r1.6 tftpd.8
 --- tftpd.8	1999/08/28 23:08:19	1.6
 +++ tftpd.8	2000/09/14 17:59:07
 @@ -41,16 +41,16 @@
  Internet Trivial File Transfer Protocol server
  .Sh SYNOPSIS
  .Nm /usr/libexec/tftpd
 -.Op Fl l
 -.Op Fl n
 +.Op Fl ln
  .Op Fl s Ar directory
 +.Op Fl u Ar user
  .Op Ar directory ...
  .Sh DESCRIPTION
  .Nm Tftpd
  is a server which supports the
  Internet Trivial File Transfer
 -Protocol (\c
 -.Tn RFC 783).
 +Protocol
 +.Pq Tn RFC 1350 .
  The
  .Tn TFTP
  server operates
 @@ -90,25 +90,39 @@
  The given directories are also treated as a search path for 
  relative filename requests.
  .Pp
 -The chroot option provides additional security by restricting access
 -of
 -.Nm
 -to only a chroot'd file system.  This is useful when moving
 -from an OS that supported
 +The 
  .Fl s
 -as a boot server.  Because chroot is restricted to root, you must run
 -.Nm
 -as root.  However, if you chroot, then
 -.Nm
 -will set its user id to nobody.
 +option provides additional security by changing 
 +.Nm tftpd Ns No 's
 +root directory, thereby prohibiting accesses outside of the specified
 +.Ar directory .
 +Because
 +.Xr chroot 2
 +requires super-user privileges,
 +.Nm
 +must be run as root.
 +However, after performing the
 +.Fn chroot ,
 +.Nm
 +will set its user id to that of the specified
 +.Ar user ,
 +or
 +.Dq nobody
 +if no
 +.Fl u
 +option is specified.
  .Pp
  The options are:
  .Bl -tag -width Ds
  .It Fl l
  Log all requests using
  .Xr syslog 3 
 -with the facility of LOG_FTP.  Note: Logging of LOG_FTP messages
 -will also need to be enabled in the syslog configuration file 
 +with the facility of 
 +.Dv LOG_FTP .
 +Note: Logging of
 +.Dv LOG_FTP
 +messages
 +must also be enabled in the syslog configuration file,
  .Xr syslog.conf 5 .
  .It Fl n
  Suppress negative acknowledgement of requests for nonexistent
 @@ -116,23 +130,32 @@
  .It Fl s Ar directory
  Cause
  .Nm
 -to chroot to
 -.Pa directory
 -before accepting commands.  In addition, the user id is set to
 -nobody.
 -.Pp
 -If you are not running
 -.Fl s ,
 -no user id change will be
 -attempted.  You should not run
 -.Nm
 -as root unless you are using
 -.Fl s .
 +to change its root directory to
 +.Pa directory .
 +After changing roots but before accepting commands,
 +.Nm
 +will switch credentials to an unprivileged user.
 +.It Fl u Ar user
 +Switch credentials to
 +.Ar user
 +(default
 +.Dq nobody )
 +when the
 +.Fl s
 +option is used.
 +The user must be specified by name, not a numeric UID.
  .El
  .Sh SEE ALSO
  .Xr tftp 1 ,
 +.Xr chroot 2 ,
  .Xr inetd 8 ,
  .Xr syslogd 8
 +.Rs
 +.%A K. R. Sollins
 +.%T The TFTP Protocol (Revision 2)
 +.%D July 1992
 +.%O RFC 1350, STD 33
 +.Re
  .Sh HISTORY
  The
  .Nm
 

From: Warner Losh <imp@village.org>
To: wollman@freebsd.org
Cc: freebsd-bugs@freebsd.org, security-officer@freebsd.org
Subject: Re: bin/21268: user set no nobody is not good 
Date: Thu, 14 Sep 2000 11:35:22 -0600

 In message <200009141724.KAA66988@freefall.freebsd.org> wollman@FreeBSD.org writes:
 : Synopsis: user set no nobody is not good
 : Experiment to see if this will work as a way to request security reviews.
 
 Short answer:
 	Looks Good.  Man page wording needs work.
 
 Long Answer:
 	This fix appears to have no security implications.  It doesn't
 	change the default behavior and gives administrators of tftp
 	servers additional flexibility.  There is a potential for
 	abuse, but that abuse is easy to cure.  It exposes no new
 	external user controllable parameters to the system, so
 	doesn't introduce a new vector of attack.  Improperly setup
 	systems may be impacted, but that's no worse than before.  A
 	tftpd user might not be a bad idea, and maybe the man page
 	should suggest this, but this level of need doesn't rise to
 	the level of requiring it on all systems.
 
 	The man page wording is awkward.  Sadly, I don't have a
 	suggestion for a better wording.
 
 Now, what the heck do I do?  Reassign it back to wollman so he can be
 responsible for committing the changes?  Wait for others on the SO
 team to look at this?  For now I'll do nothing.
 
 Warner
 
 
State-Changed-From-To: feedback->suspended 
State-Changed-By: wollman 
State-Changed-When: Thu Sep 14 12:09:33 PDT 2000 
State-Changed-Why:  
Change accepted in rev. 1.16; awaiting MFC. 


Responsible-Changed-From-To: security-officer->freebsd-bugs 
Responsible-Changed-By: wollman 
Responsible-Changed-When: Thu Sep 14 12:09:33 PDT 2000 
Responsible-Changed-Why:  
Warner did the review. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21268 
State-Changed-From-To: suspended->closed 
State-Changed-By: dwmalone 
State-Changed-When: Tue May 29 08:09:44 PDT 2001 
State-Changed-Why:  
tftpd in -current and -stable are almost identical, so I think the 
merge has been done. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21268 
>Unformatted:
