SuSE Linux: All versions
/etc/inetd.conf
.
If you do not have it yet, copy /etc/inetd.conf.secure
to /etc/inetd.conf
.
If no /etc/inetd.conf.secure
is available in your system,
/etc/inetd.conf
is already the secure version.
Secure means that the daemons are not started directly but through
/usr/sbin/tcpd
, the wrapper daemon.
This daemon uses /etc/hosts.allow
and /etc/hosts.deny
to determine which remote hosts can address which services.
Refer to the hosts_access
man pages (command `man 5 hosts_access'
)
to find out how /etc/hosts.allow
and /etc/hosts.deny
have to be
configured for the proper configuration of the secure version of /etc/inetd.conf
.
Regarding tftp itself, the following line in /etc/inetd.conf
:
# tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpmust be changed to:
tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /tftpboot
/tftpboot
is the only directory from which data can be retrieved via tftp.
Since tcpd
starts /usr/sbin/in.tftpd
as user nobody (which is
absolutely necessary because tftp
does not require a password),
the rights for /usr/sbin/in.tftpd
must still be changed. Set them correctly with
the command:
chmod 755 /usr/sbin/in.tftpdThe following applies for the use of
tftp
:
The daemon /usr/sbin/in.tftpd
only accepts tftp requests
containing file entries that fulfill the following criteria:
/tftpboot
(or a different string specified as argument
in /etc/inetd.conf
)
/../
(for security purposes)
DNS
or is listed in
/etc/hosts
.
/../
.
For further information on in.tftp
daemons, refer to the corresponding man pages.