tftp daemon running under dedicated 'tftp' user

Latest response

Hope I'm in the correct place to ask a question like this. Having trouble re-configuring the tftp server on my RHEL 5.8 system. We need to enable tftp on this system in order for an external box to download its firmware, no other option from that vendor to set up their box.

Initial setup with this /etc/xinetd.d/tftp config was fine:

service tftp
        disable = no
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4


vendor box is able to tftp its files just fine, can do a manual tftp client call from a RHEL 4 box on this network to get files. The /tftpboot directory itself is 0777, files within it are 0555.

Our RHEL 5.8 server needs to adhere to the "Red Hat Enterprise Linux 5 Security Technical Implementation Guide" put out by DISA, and GEN005120 stipulates that the "user" parameter in the config file must not be 'root', it must be a dedicated user. They recommend creating a new 'tftp' user, that has a /bin/false shell. I created such a user and it has these entries in the /etc/passwd and /etc/group files:


Updated the tftp config file in /etc/xinetd.d and changed "user" field from 'root' to 'tftp'. Restarted the daemon. Now when trying to tftp a file to my RHEL 4 box, I see the messages file declare

Jan 21 13:08:45 RIWFSysAftServe in.tftpd[19062]: cannot set groups for user nobody
Jan 21 13:08:45 RIWFSysAftServe xinetd[19049]: START: tftp pid=19061 from=
Jan 21 13:08:50 RIWFSysAftServe in.tftpd[19063]: cannot set groups for user nobody

and the session exits. From reading other articles have seen that may need to start the daemon as the tftp user. Changed tftp config file line for server_args to

        server_args             = -s /tftpboot -vvv -u tftp

A tftp attempt from the RHEL 4 machine now results in

Jan 21 13:35:26 RIWFSysAftServe xinetd[20223]: START: tftp pid=20225 from=
Jan 21 13:35:26 RIWFSysAftServe in.tftpd[20226]: cannot set groups for user tftp

(line "cannot set groups" always displays 5 times before attempt is aborted).

Next tried making sure files in /tftpboot were owned and group-owned by 'tftp' and tried again. Same results.

I'm probably missing something small here. I've searched on the web quite a bit for this "cannot set groups" error and haven't found anything that helps. Some people say run server as 'root' (which again does work, but won't be accepted by our end customer), others say run it as user 'nobody' and chown the files in /tftpboot to match. We're never trying to 'put' files onto the RHEL 5 server running the tftp daemon, only retrieve them.

thanks for any help/advice.






There seems to be some confusion about what the `user = root` part of the xinetd config file means -- whether that is on the part of the DISA guide or the people interpreting its directives, I'm not sure.

The STIG I've looked at doesn't say anything about changing the above ^^ ... it simply implies passing `-u yourtftpuser` as server_args.

Thanks for looking at this. I'm using the "Red Hat Enterprise Linux 5 Security Technical Implementation Guide Version: 1 Release: 1 2 Aug 2012" and for finding GEN005120 part of what it states is


# grep user /etc/xinetd.d/tftp
If the returned line indicates a user other than the dedicated "tftp" user, this is a finding.


Create a dedicated "tftp" user account if none exists.
Assign a non-login shell to the "tftp" user account, such as /bin/false.
Assign a home directory to the "tftp" user account.
Edit /etc/xinetd.d/tftp to have "tftp" as the value of the "user" parameter.

------------End of GEN005120------------


this may well be an issue with the DISA guide. Can I ask which STIG you were looking at?




In RHEL 7.4, the /etc/xinetd.d/tftp configuration file is ignored by systemd. To modify the tftp daemon settings you have to modify the systemd startup script /usr/lib/systemd/system/tftp.service. Here's an example from my system:

ExecStart=/usr/sbin/in.tftpd -s /tftpboot -vvv -u tftp

Note that the stock systemd configuration file won't properly run at boot using the standard "systemctl enable tftp". You have to add the following line before enabling it:


Note that my tftp home directory is /tftpboot and I created a user and group named tftp:

groupadd tftp
useradd -c "TFTP User" -d /tftpoot -g tftp -M
mkdir /tftpboot
chown tftp.tftp /tftpboot
systemctl daemon-reload
systemctl enable xinetd
systemctl enable tftp
systemctl start xinetd
systemctl start tftp
ps -ef | grep tftp