• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<refentry id="tftpd">
2
3<refmeta>
4<refentrytitle>tftpd</refentrytitle>
5<manvolnum>8</manvolnum>
6<refmiscinfo>iputils-&snapshot;</refmiscinfo>
7</refmeta>
8
9<refnamediv>
10<refname>tftpd</refname>
11<refpurpose>Trivial File Transfer Protocol server</refpurpose>
12</refnamediv>
13
14<refsynopsisdiv>
15<cmdsynopsis>
16<command>tftpd</command>
17<arg choice="req"><replaceable/directory/</arg>
18</cmdsynopsis>
19</refsynopsisdiv>
20
21<refsect1><title>DESCRIPTION</title>
22<para>
23<command/tftpd/ is a server which supports the DARPA
24Trivial File Transfer Protocol
25(<ulink url="http://tools.ietf.org/rfc/rfc1350.txt">RFC1350</ulink>).
26The TFTP server is started
27by <citerefentry><refentrytitle/inetd/<manvolnum/8/</citerefentry>.
28</para>
29
30<para>
31<replaceable/directory/ is required argument; if it is not given
32<command/tftpd/ aborts. This path is prepended to any file name requested
33via TFTP protocol, effectively chrooting <command/tftpd/ to this directory.
34File names are validated not to escape out of this directory, however
35administrator may configure such escape using symbolic links.
36</para>
37
38<para>
39It is in difference of variants of <command/tftpd/ usually distributed
40with unix-like systems, which take a list of directories and match
41file names to start from one of given prefixes or to some random
42default, when no arguments were given. There are two reasons not to
43behave in this way: first, it is inconvenient, clients are not expected
44to know something about layout of filesystem on server host.
45And second, TFTP protocol is not a tool for browsing of server's filesystem,
46it is just an agent allowing to boot dumb clients.
47</para>
48
49<para>
50In the case when <command/tftpd/ is used together with
51<link linkend="rarpd">
52<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link>,
53tftp directories in these services should coincide and it is expected
54that each client booted via TFTP has boot image corresponding
55its IP address with an architecture suffix following Sun Microsystems
56conventions. See
57<link linkend="rarpd">
58<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link>
59for more details.
60</para>
61</refsect1>
62
63<refsect1><title>SECURITY</title>
64<para>
65TFTP protocol does not provide any authentication.
66Due to this capital flaw <command/tftpd/ is not able to restrict
67access to files and will allow only publically readable
68files to be accessed. Files may be written only if they already
69exist and are publically writable.
70</para>
71
72<para>
73Impact is evident, directory exported via TFTP <emphasis/must not/
74contain sensitive information of any kind, everyone is allowed
75to read it as soon as a client is allowed. Boot images do not contain
76such information as rule, however you should think twice before
77publishing f.e. Cisco IOS config files via TFTP, they contain
78<emphasis/unencrypted/ passwords and may contain some information
79about the network, which you were not going to make public.
80</para>
81
82<para>
83The <command/tftpd/ server should be executed by <command/inetd/
84with dropped root privileges, namely with a user ID giving minimal
85access to files published in tftp directory. If it is executed
86as superuser occasionally, <command/tftpd/ drops its UID and GID
87to 65534, which is most likely not the thing which you expect.
88However, this is not very essential; remember, only files accessible
89for everyone can be read or written via TFTP.
90</para>
91
92</refsect1>
93
94
95<refsect1><title>SEE ALSO</title>
96<para>
97<link linkend="rarpd">
98<citerefentry><refentrytitle/rarpd/<manvolnum/8/</citerefentry></link>,
99<citerefentry><refentrytitle/tftp/<manvolnum/1/</citerefentry>,
100<citerefentry><refentrytitle/inetd/<manvolnum/8/</citerefentry>.
101</para>
102</refsect1>
103
104<refsect1><title>HISTORY</title>
105<para>
106The <command/tftpd/ command appeared in 4.2BSD. The source in iputils
107is cleaned up both syntactically (ANSIized) and semantically (UDP socket IO).
108</para>
109<para>
110It is distributed with iputils mostly as good demo of an interesting feature
111(<constant/MSG_CONFIRM/) allowing to boot long images by dumb clients
112not answering ARP requests until they are finally booted.
113However, this is full functional and can be used in production.
114</para>
115</refsect1>
116
117
118<refsect1><title>AVAILABILITY</title>
119<para>
120<command/tftpd/ is part of <filename/iputils/ package
121and the latest versions are  available in source form at
122<ulink url="http://www.skbuff.net/iputils/iputils-current.tar.bz2">
123http://www.skbuff.net/iputils/iputils-current.tar.bz2</ulink>.
124</para>
125</refsect1>
126
127
128<![IGNORE[
129<refsect1><title>COPYING</title>
130<para>
131<literallayout>
132This documentation is free software; you can redistribute
133it and/or modify it under the terms of the GNU General Public
134License Version 2.
135
136This program is distributed in the hope that it will be
137useful, but WITHOUT ANY WARRANTY; without even the implied
138warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
139See the GNU General Public License for more details.
140
141For more details see the file COPYING in the source
142distribution of Linux kernel of version 2.4.
143</literallayout>
144</literallayout>
145</para>
146</refsect1>
147]]>
148
149
150
151</refentry>
152