Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83 SMI; site sun.uucp Path: utzoo!watmath!clyde!floyd!harpo!decvax!decwrl!sun!shannon From: shannon@sun.uucp (Bill Shannon) Newsgroups: net.bugs.4bsd Subject: SECURITY HOLE in tftpd Message-ID: <566@sun.uucp> Date: Wed, 7-Mar-84 18:36:55 EST Article-I.D.: sun.566 Posted: Wed Mar 7 18:36:55 1984 Date-Received: Thu, 8-Mar-84 19:38:29 EST Organization: Sun Microsystems, Inc. Lines: 21 Subject: tftpd doesn't check file permissions properly Index: etc/tftpd.c 4.2BSD Description: The tftp daemon runs as root and is only supposed to let you access files with public read. However, it only checks the file itself, not the path to the file. Repeat-By: chmod 700 /sys tftp localhost get /sys/sys/tty.c Fix: I fixed it by doing a setgid(-2), setuid(-2) before checking access permissions. It's hard to check the entire path by hand because of symbolic links; you really have to run as someone who will only have public permission to the file. -2/-2 is not guaranteed to be restrictive enough, but it was a quick fix. Perhaps a uid/gid should be reserved for this purpose. Sorry, no diff of the fix. Our tftpd has changed far too much for other reasons for it to be useful.