tftp daemon running under dedicated 'tftp' user

Latest response

Hope I'm in the correct place to ask a question like this. Having trouble re-configuring the tftp server on my RHEL 5.8 system. We need to enable tftp on this system in order for an external box to download its firmware, no other option from that vendor to set up their box.

Initial setup with this /etc/xinetd.d/tftp config was fine:

service tftp
{
        disable = no
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

 

vendor box is able to tftp its files just fine, can do a manual tftp client call from a RHEL 4 box on this network to get files. The /tftpboot directory itself is 0777, files within it are 0555.

Our RHEL 5.8 server needs to adhere to the "Red Hat Enterprise Linux 5 Security Technical Implementation Guide" put out by DISA, and GEN005120 stipulates that the "user" parameter in the config file must not be 'root', it must be a dedicated user. They recommend creating a new 'tftp' user, that has a /bin/false shell. I created such a user and it has these entries in the /etc/passwd and /etc/group files:

passwd:tftp:x:156:157::/tftpboot:/bin/false
group:tftp:x:157:
 

Updated the tftp config file in /etc/xinetd.d and changed "user" field from 'root' to 'tftp'. Restarted the daemon. Now when trying to tftp a file to my RHEL 4 box, I see the messages file declare

Jan 21 13:08:45 RIWFSysAftServe in.tftpd[19062]: cannot set groups for user nobody
Jan 21 13:08:45 RIWFSysAftServe xinetd[19049]: START: tftp pid=19061 from=192.168.10.17
Jan 21 13:08:50 RIWFSysAftServe in.tftpd[19063]: cannot set groups for user nobody
 

and the session exits. From reading other articles have seen that may need to start the daemon as the tftp user. Changed tftp config file line for server_args to

        server_args             = -s /tftpboot -vvv -u tftp
 

A tftp attempt from the RHEL 4 machine now results in

Jan 21 13:35:26 RIWFSysAftServe xinetd[20223]: START: tftp pid=20225 from=192.168.10.17
Jan 21 13:35:26 RIWFSysAftServe in.tftpd[20226]: cannot set groups for user tftp
 

(line "cannot set groups" always displays 5 times before attempt is aborted).

Next tried making sure files in /tftpboot were owned and group-owned by 'tftp' and tried again. Same results.

I'm probably missing something small here. I've searched on the web quite a bit for this "cannot set groups" error and haven't found anything that helps. Some people say run server as 'root' (which again does work, but won't be accepted by our end customer), others say run it as user 'nobody' and chown the files in /tftpboot to match. We're never trying to 'put' files onto the RHEL 5 server running the tftp daemon, only retrieve them.

thanks for any help/advice.

 

 

 

 

Responses

There seems to be some confusion about what the `user = root` part of the xinetd config file means -- whether that is on the part of the DISA guide or the people interpreting its directives, I'm not sure.

The STIG I've looked at doesn't say anything about changing the above ^^ ... it simply implies passing `-u yourtftpuser` as server_args.

Thanks for looking at this. I'm using the "Red Hat Enterprise Linux 5 Security Technical Implementation Guide Version: 1 Release: 1 2 Aug 2012" and for finding GEN005120 part of what it states is

------------GEN005120------------

# grep user /etc/xinetd.d/tftp
If the returned line indicates a user other than the dedicated "tftp" user, this is a finding.

 

Procedure:
Create a dedicated "tftp" user account if none exists.
Assign a non-login shell to the "tftp" user account, such as /bin/false.
Assign a home directory to the "tftp" user account.
Edit /etc/xinetd.d/tftp to have "tftp" as the value of the "user" parameter.

------------End of GEN005120------------

 

this may well be an issue with the DISA guide. Can I ask which STIG you were looking at?

 

thanks.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.