1<refentry id="tftpd"> 2 3<refmeta> 4<refentrytitle>tftpd</refentrytitle> 5<manvolnum>8</manvolnum> 6<refmiscinfo>iputils-&snapshot;</refmiscinfo> 7</refmeta> 8 9<refnamediv> 10<refname>tftpd</refname> 11<refpurpose>Trivial File Transfer Protocol server</refpurpose> 12</refnamediv> 13 14<refsynopsisdiv> 15<cmdsynopsis> 16<command>tftpd</command> 17<arg choice="req"><replaceable/directory/</arg> 18</cmdsynopsis> 19</refsynopsisdiv> 20 21<refsect1><title>DESCRIPTION</title> 22<para> 23<command/tftpd/ is a server which supports the DARPA 24Trivial File Transfer Protocol 25(<ulink url="http://tools.ietf.org/rfc/rfc1350.txt">RFC1350</ulink>). 26The TFTP server is started 27by <citerefentry><refentrytitle/inetd/<manvolnum/8/</citerefentry>. 28</para> 29 30<para> 31<replaceable/directory/ is required argument; if it is not given 32<command/tftpd/ aborts. This path is prepended to any file name requested 33via TFTP protocol, effectively chrooting <command/tftpd/ to this directory. 34File names are validated not to escape out of this directory, however 35administrator may configure such escape using symbolic links. 36</para> 37 38<para> 39It is in difference of variants of <command/tftpd/ usually distributed 40with unix-like systems, which take a list of directories and match 41file names to start from one of given prefixes or to some random 42default, when no arguments were given. There are two reasons not to 43behave in this way: first, it is inconvenient, clients are not expected 44to know something about layout of filesystem on server host. 45And second, TFTP protocol is not a tool for browsing of server's filesystem, 46it is just an agent allowing to boot dumb clients. 47</para> 48 49<para> 50In the case when <command/tftpd/ is used together with 51<link linkend="rarpd"> 52<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link>, 53tftp directories in these services should coincide and it is expected 54that each client booted via TFTP has boot image corresponding 55its IP address with an architecture suffix following Sun Microsystems 56conventions. See 57<link linkend="rarpd"> 58<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link> 59for more details. 60</para> 61</refsect1> 62 63<refsect1><title>SECURITY</title> 64<para> 65TFTP protocol does not provide any authentication. 66Due to this capital flaw <command/tftpd/ is not able to restrict 67access to files and will allow only publically readable 68files to be accessed. Files may be written only if they already 69exist and are publically writable. 70</para> 71 72<para> 73Impact is evident, directory exported via TFTP <emphasis/must not/ 74contain sensitive information of any kind, everyone is allowed 75to read it as soon as a client is allowed. Boot images do not contain 76such information as rule, however you should think twice before 77publishing f.e. Cisco IOS config files via TFTP, they contain 78<emphasis/unencrypted/ passwords and may contain some information 79about the network, which you were not going to make public. 80</para> 81 82<para> 83The <command/tftpd/ server should be executed by <command/inetd/ 84with dropped root privileges, namely with a user ID giving minimal 85access to files published in tftp directory. If it is executed 86as superuser occasionally, <command/tftpd/ drops its UID and GID 87to 65534, which is most likely not the thing which you expect. 88However, this is not very essential; remember, only files accessible 89for everyone can be read or written via TFTP. 90</para> 91 92</refsect1> 93 94 95<refsect1><title>SEE ALSO</title> 96<para> 97<link linkend="rarpd"> 98<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link>, 99<citerefentry><refentrytitle/tftp/<manvolnum/1/</citerefentry>, 100<citerefentry><refentrytitle/inetd/<manvolnum/8/</citerefentry>. 101</para> 102</refsect1> 103 104<refsect1><title>HISTORY</title> 105<para> 106The <command/tftpd/ command appeared in 4.2BSD. The source in iputils 107is cleaned up both syntactically (ANSIized) and semantically (UDP socket IO). 108</para> 109<para> 110It is distributed with iputils mostly as good demo of an interesting feature 111(<constant/MSG_CONFIRM/) allowing to boot long images by dumb clients 112not answering ARP requests until they are finally booted. 113However, this is full functional and can be used in production. 114</para> 115</refsect1> 116 117 118<refsect1><title>AVAILABILITY</title> 119<para> 120<command/tftpd/ is part of <filename/iputils/ package 121and the latest versions are available in source form at 122<ulink url="http://www.skbuff.net/iputils/iputils-current.tar.bz2"> 123http://www.skbuff.net/iputils/iputils-current.tar.bz2</ulink>. 124</para> 125</refsect1> 126 127 128<![IGNORE[ 129<refsect1><title>COPYING</title> 130<para> 131<literallayout> 132This documentation is free software; you can redistribute 133it and/or modify it under the terms of the GNU General Public 134License Version 2. 135 136This program is distributed in the hope that it will be 137useful, but WITHOUT ANY WARRANTY; without even the implied 138warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 139See the GNU General Public License for more details. 140 141For more details see the file COPYING in the source 142distribution of Linux kernel of version 2.4. 143</literallayout> 144</literallayout> 145</para> 146</refsect1> 147]]> 148 149 150 151</refentry> 152