SuSE Linux: All versions
/etc/inetd.conf.
If you do not have it yet, copy /etc/inetd.conf.secure
to /etc/inetd.conf.
If no /etc/inetd.conf.secure is available in your system,
/etc/inetd.conf is already the secure version.
Secure means that the daemons are not started directly but through
/usr/sbin/tcpd, the wrapper daemon.
This daemon uses /etc/hosts.allow and /etc/hosts.deny
to determine which remote hosts can address which services.
Refer to the hosts_access man pages (command `man 5 hosts_access')
to find out how /etc/hosts.allow and /etc/hosts.deny have to be
configured for the proper configuration of the secure version of /etc/inetd.conf.
Regarding tftp itself, the following line in /etc/inetd.conf:
# tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpmust be changed to:
tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /tftpboot
/tftpboot is the only directory from which data can be retrieved via tftp.
Since tcpd starts /usr/sbin/in.tftpd as user nobody (which is
absolutely necessary because tftp does not require a password),
the rights for /usr/sbin/in.tftpd must still be changed. Set them correctly with
the command:
chmod 755 /usr/sbin/in.tftpdThe following applies for the use of
tftp:
The daemon /usr/sbin/in.tftpd only accepts tftp requests
containing file entries that fulfill the following criteria:
/tftpboot (or a different string specified as argument
in /etc/inetd.conf)
/../ (for security purposes)
DNS or is listed in
/etc/hosts.
/../.
For further information on in.tftp daemons, refer to the corresponding man pages.